Application security, Patch/Configuration Management, Threat Management, Vulnerability Management

Microsoft closes new critical Exchange vulnerability, urges patch ‘as soon as possible’

A signage of Microsoft is seen on March 13, 2020 in New York City. New research indicates that the scope of a breach of the Microsoft Exchange Server may be far greater than originally thought. (Jeenah Moon/Getty Images)

Microsoft suggested that on-premises Exchange customers install fixes "as soon as possible" to mitigate newly patched critical vulnerabilities.

"We have not seen the vulnerabilities used in attacks against our customers. However, given recent adversary focus on exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats," Microsoft writes in a blog post.

Users of Exchange Online do not need to take any action.

The alert about new Exchange bugs come soon after on-premises Exchange customers were told to patch against a campaign actively exploiting a zero-day vulnerability. Microsoft originally discovered and disclosed targeted attacks as coming from a group the company dubbed Hafnium, which they described as a state-sponsored organization located in China. Subsequent discoveries showed that the attacks were more widespread than originally reported.

After the patch and a subsequent exploit were released, criminal groups also took advantage.

The new Microsoft patch released Tuesday draws on research from Microsoft's internal team and a disclosure from the National Security Agency. Both CVE-2021-28480 and CVE-2021-28481 are critical severity remote code execution vulnerabilities.

"Cybersecurity is national security. Network defenders now have the knowledge needed to act, but so do adversaries and malicious cyber actors," said NSA Director of Cybersecurity Rob Joyce in a statement to the press. "Don't give them the opportunity to exploit this vulnerability on your system."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.