Microsoft has patched a vulnerability in on-premises Exchange Server 2016 and 2019 that has seen "limited targeted attacks" in the wild as part of wider updates for Exchange server.
"We are aware of limited targeted attacks in the wild using one of [today's patched] vulnerabilities (CVE-2021-42321), which is a post-authentication vulnerability in Exchange 2016 and 2019. Our recommendation is to install these updates immediately to protect your environment," the Redmond, Wash.-based company wrote in its blog.
On-premises Exchange server vulnerabilities became a major issue of concern early in 2021 when Microsoft identified the Chinese "Hafnium" espionage group taking advantage of a vulnerability. Microsoft was upfront about the espionage group when announcing that vulnerability, but at the time had only identified limited use in the wild. That soon ballooned when Hafnium made a last-ditch effort to drain all possible value from its exploit. There is no evidence of Hafnium involvement with the new vulnerability, and no evidence that patching the new vulnerability will accelerate attacks.
CVE-221-42321 affects on-premises and hybrid Exchange clients, but not cloud clients.
In order to install the updates, clients must first be running Exchange Server 2016 CU21 or CU22, or Exchange Server 2019 CU10 or CU11.