Microsoft suggested that on-premises Exchange customers install fixes "as soon as possible" to mitigate newly patched critical vulnerabilities.
"We have not seen the vulnerabilities used in attacks against our customers. However, given recent adversary focus on exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats," Microsoft writes in a blog post.
Users of Exchange Online do not need to take any action.
The alert about new Exchange bugs come soon after on-premises Exchange customers were told to patch against a campaign actively exploiting a zero-day vulnerability. Microsoft originally discovered and disclosed targeted attacks as coming from a group the company dubbed Hafnium, which they described as a state-sponsored organization located in China. Subsequent discoveries showed that the attacks were more widespread than originally reported.
After the patch and a subsequent exploit were released, criminal groups also took advantage.
The new Microsoft patch released Tuesday draws on research from Microsoft's internal team and a disclosure from the National Security Agency. Both CVE-2021-28480 and CVE-2021-28481 are critical severity remote code execution vulnerabilities.
"Cybersecurity is national security. Network defenders now have the knowledge needed to act, but so do adversaries and malicious cyber actors," said NSA Director of Cybersecurity Rob Joyce in a statement to the press. "Don't give them the opportunity to exploit this vulnerability on your system."
