Microsoft recommends that companies patch four new Exchange Server vulnerabilities just weeks after four zero-day vulnerabilities were revealed.
In Microsoft’s Patch Tuesday roundup, the software giant and the US National Security Agency (NSA) insisted on encouraging administrators to apply the fixes.
Microsoft credited the NSA for discovering two remote code execution vulnerabilities (CVE-2021-28480 and CVE-2021-28481) in Exchange Server. The two bugs discovered by the NSA show a CVSS score of 9.8 due to the risk of attacks without user interaction.
Microsoft has released fixes for 114 CVEs that cover everything from Windows to Edge (Chromium-based), Azure, Microsoft Office, SharePoint Server, and Exchange Server, among others. According to TippingPoint’s ZDI, this Patch Tuesday is the most important of the year.
Regarding Exchange bugs, Microsoft said:
We have not seen these vulnerabilities used in attacks against our customers. However, since adversaries have recently focused on Exchange, we recommend that customers install updates as soon as possible to ensure they remain protected against these and other threats.
The attacks on Exchange have been a real headache for Microsoft and businesses. Microsoft released emergency fixes for Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 on March 2. At the time, the company said that four zero-day vulnerabilities that could lead to data theft and server compromise were being actively exploited in “limited and targeted attacks.”
However, it didn’t take long for multiple groups to start following the bandwagon It is estimated that thousands of systems owned by organizations around the world have been compromised.
In addition to the emergency fixes, Microsoft also released a mitigation guide and created a turnkey tool that included URL rewrite for one of the vulnerabilities to prevent attacks.