Updates released for new critical vulnerabilities in Microsoft Exchange
Four Remote Code Execution (RCE) vulnerabilities have been discovered in Microsoft Exchange Server and patches have been released.
Two of these vulnerabilities are exploitable without authentication. These vulnerabilities must be patched urgently due to the level of access they would grant an attacker. This set of vulnerabilities are different to the ones released earlier this year detailed in our March 2021 advisory.
Organisations running Microsoft Exchange servers are urged to patch as soon as possible to prevent possible exploitation.
On-premises Microsoft Exchange Server versions:
What this means
Attackers may be able to exploit these vulnerabilities to execute their own code on affected servers, which would grant them access and control of the server. This level of access can lead to data exfiltration and further network compromise. This year we have seen similar vulnerabilities being exploited by attackers uploading ransomware to affected machines, and it is possible these vulnerabilities will be exploited in a similar manner.
What to look for
How to tell if you're at risk
If your organisation is running Microsoft Exchange version 2013, 2016, or 2019 and has not yet applied the April 2021 security update, you are at risk. Microsoft has also released an “Exchange Server Health Checker” script that you can use to check your servers, detailed in the Microsoft Exchange team blog post. External Link
If you are using Exchange Online products, you are not affected and do not need to take any action.
What to do
Apply the April 2021 security updates as soon as possible. The Microsoft Exchange team has written a blog post External Link with helpful information for administrators.
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.