Critical vulnerabilities affecting on-premise Microsoft Exchange servers

Overview

The National Cyber Security Centre (NCSC) is aware of multiple critical vulnerabilities affecting on-premise Microsoft Exchange servers. Microsoft has released patches for these vulnerabilities as part of the April 2021 Patch Tuesday release. These vulnerabilities are unrelated to earlier Exchange vulnerabilities, made public in early March 2021.

Microsoft has released a security advisory(external link)¹ detailing these vulnerabilities, which include the ability for an unauthenticated actor to execute remote code on vulnerable hosts. The NCSC strongly recommends organisations running affected instances of Microsoft Exchange Server apply the security patches as soon as possible.

The vulnerabilities affect the following versions of Microsoft Exchange Server:

• Microsoft Exchange Server 2019
• Microsoft Exchange Server 2016
• Microsoft Exchange Server 2013

Successful exploitation of these vulnerabilities could allow an actor to gain remote code execution with elevated privileges on the impacted device. This can facilitate the deployment of malware to enable continued access to the compromised system, even after the system has been patched.The NCSC has no information to suggest that these vulnerabilities are being actively exploited in New Zealand.

The vulnerabilities are being tracked as the following CVEs:

• CVE-2021-28480(external link) - Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-28481(external link) - Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-28482(external link) - Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-28483(external link) - Microsoft Exchange Server Remote Code Execution Vulnerability

Microsoft Exchange Online is not known to be affected by these vulnerabilities.

While there is no information available that indicates these vulnerabilities have been exploited, the NCSC is aware of multiple actors exploiting previously identified Exchange vulnerabilities that were patched by Microsoft in March 2021.

Actors often reverse-engineer patches to identify and exploit vulnerabilities, as such, the NCSC recommends organisations apply security patches as soon as possible.

Recommendations

The NCSC strongly recommends organisations running affected instances of Microsoft Exchange Server apply the security patches as soon as possible.

Please contact the NCSC if you identify evidence of malicious activity within your network.

Download NCSC Advisory CSA-2021-2291 [PDF, 711 KB]

¹https://msrc-blog.microsoft.com/2021/04/13/april-2021-update-tuesday-packages-now-available(external link)