- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
Microsoft fixes 2 critical Exchange Server flaws reported by the NSA
Microsoft patch Tuesday security updates address four high and critical vulnerabilities in Microsoft Exchange Server that were reported by the NSA.
Microsoft patch Tuesday security updates released today have addressed four critical and high severity vulnerabilities in Exchange Server (CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483), some of these flaws were reported by the U.S. National Security Agency (NSA).
All the vulnerabilities are remote code execution that could allow attacks to compromise vulnerable installs, for this reason, the IT giant urges its customers to install the latest updates.
New MS Exchange patches you will want to apply.
CVE-2021-28480, CVE-2021-28481, CVE-2021-28482 and CVE-2021-28483.
Not exploited or found in wild. All 4 are RCE, 2 pre-auth.https://t.co/xN8WMen9X1https://t.co/Vdszn0x5Ighttps://t.co/BhZCl79O48https://t.co/HLkzze5fjD
— Kevin Beaumont (@GossiTheDog) April 13, 2021
The vulnerabilities reported by the NSA, respectively tracked as CVE-2021-28480 and CVE-2021-28481, could allow persistent access and control of enterprise networks.
Both flaws received a CVSS score of 9.8 out of 10 becuase that could be exploited by remote unauthenticated attackers without user interaction.
“Since the attack vector is listed as “Network,” it is likely these bugs are wormable – at least between Exchange servers. The CVSS score for these two bugs is actually higher than the Exchange bugs exploited earlier this year. These bugs were credited to the National Security Agency.” reads the post published by the Zero Day Initiative. “Considering the source, and considering these bugs also receive Microsoft’s highest Exploit Index rating, assume they will eventually be exploited. Update your systems as soon as possible.”
NSA urges applying critical Microsoft patches released today, as exploitation of these #vulnerabilities could allow persistent access and control of enterprise networks.https://t.co/SYkqmjeM2h
— NSA Cyber (@NSACyber) April 13, 2021
The vulnerabilities affect on-premise Exchange Server versions 2013 through 2019, Microsoft experts speculate that threat actors are likely to exploit them in the wild very soon.
“Cybersecurity is national security,” said NSA Cybersecurity Director Rob Joyce. “Network defenders now have the knowledge needed to act, but so do adversaries and malicious cyber actors. Don’t give them the opportunity to exploit this vulnerability on your system.”
The NSA confirmed that the critical vulnerabilities in the Microsoft Exchange server were recent discovered by its experts that immediately reported them to Microsoft.
“After we disclosed these vulnerabilities to Microsoft, they promptly created a patch. NSA values partnership in the cybersecurity community. No one organization can secure their networks alone” states the NSA.
Microsoft Patches for April 2021 addressed a total of 114 vulnerabilities in Microsoft Windows, Edge (Chromium-based), Azure and Azure DevOps Server, Microsoft Office, SharePoint Server, Hyper-V, Team Foundation Server, Visual Studio, and Exchange Server. 19 vulnerabilities are rated as Critical, 88 are rated Important, and one is rated Moderate in severity.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine