15.04.2021 - Microsoft had already disclosed Exchange Server vulnerabilities in March and provided corresponding patches. New vulnerabilities have now emerged and need to be patched immediately.
The new vulnerabilities affect 2013, 2016 and 2019 versions of Exchange Server. Microsoft disclosed this on Tuesday and issued the requisite patches. The NCSC sent the necessary information to critical infrastructure operators on Wednesday.
Apparently, no malware that already exploits the vulnerabilities has been identified yet, but it is still important to deploy the patches immediately.
- CVE-2021-28480: Exchange Server RCE Vulnerability
- CVE-2021-28481: Exchange Server RCE Vulnerability
- CVE-2021-28482: Exchange Server RCE Vulnerability
- CVE-2021-28483: Exchange Server RCE Vulnerability
Make sure that the patches are deployed!
For more information and general recommendations, see the NCSC announcement of 12 March:
Vulnerability in Exchange servers
Last modification 15.04.2021
