On April 13, 2021, Microsoft published security updates to address four critical remote code execution vulnerabilities that impact Exchange Servers 2013, 2016, and 2019. Online Exchange environments are not affected. The following CVEs have been assigned to these vulnerabilities:

• CVE-2021-28480
• CVE-2021-28481
• CVE-2021-28482
• CVE-2021-28483

No in-the-wild or proof-of-concept exploits have been reported as of this publication. However, Secureworks(R) Counter Threat Unit(TM) (CTU) researchers expect threat actors to quickly develop exploits due to historical targeting of Exchange Servers.

Recommended actions

Customers are advised to review and apply the Microsoft April 2021 security updates as appropriate in their environments as soon as possible. The Exchange Server security updates released in March do not address these vulnerabilities.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends that federal agencies take immediate and emergency action to patch these vulnerabilities on their systems.

Questions

If you have any questions or concerns about this advisory, please contact us via support@empsn.org.uk

References

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-april-2021-exchange-server-security-updates/ba-p/2254617
https://msrc-blog.microsoft.com/2021/04/13/april-2021-update-tuesday-packages-now-available/
https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-april-13-2021-kb5001779-8e08f3b3-fc7b-466c-bbb7-5d5aa16ef064
https://www.bleepingcomputer.com/news/security/nsa-discovers-critical-exchange-server-vulnerabilities-patch-now/
https://cyber.dhs.gov/ed/21-02/#supplemental-direction-v2
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28483
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28482
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28481
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28480