Microsoft is advising businesses to patch four new previously undisclosed Exchange Server vulnerabilities just weeks after zero-day attacks that affected global installations.
In Microsoft’s Patch Tuesday roundup, the software giant and US National Security Agency (NSA) urged fixes.
Microsoft credited the NSA for finding two remote code execution vulnerability flaws (CVE-2021-28480 and CVE-2021-28481) in Exchange Server. Both bugs found by the NSA carry a CVSS score of 9.8 due to the risks of attacks without user interaction.
Overall, Microsoft released patches for 114 CVEs that cover everything from Windows to Edge (Chromium based), Azure, Microsoft Office, SharePoint Server and Exchange Server among others. According to Trend Micro’s ZDI the patch bundle is the most this year.
Also: Microsoft details its legacy Edge browser phase-out strategy
Regarding the Exchange bugs, Microsoft said:
We have not seen the vulnerabilities used in attacks against our customers. However, given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats.
The attacks on Exchange have been a major headache for Microsoft and enterprises. Microsoft released emergency patches for Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 on March 2. At the time, the company said that four zero-day vulnerabilities which could lead to data theft and overall server hijacking were being actively exploited in “limited, targeted attacks.”
However, it was not long before multiple advanced persistent threat (APT) groups began to join in Exchange Server-based campaigns and it is estimated that thousands of systems belonging to organizations worldwide have been compromised.
Alongside the emergency patches, Microsoft has also published a mitigation guide and created a one-click mitigation tool including a URL rewrite for one of the vulnerabilities to stop an attack chain from forming.