Updates released for new critical vulnerabilities in Microsoft Exchange

Four Remote Code Execution (RCE) vulnerabilities have been discovered in Microsoft Exchange Server and patches have been released.

Two of these vulnerabilities are exploitable without authentication. These vulnerabilities must be patched urgently due to the level of access they would grant an attacker. This set of vulnerabilities are different to the ones released earlier this year detailed in our March 2021 advisory.

Organisations running Microsoft Exchange servers are urged to patch as soon as possible to prevent possible exploitation.

What's happening

Systems affected

On-premises Microsoft Exchange Server versions:

2013
2016
2019

What this means

Attackers may be able to exploit these vulnerabilities to execute their own code on affected servers, which would grant them access and control of the server. This level of access can lead to data exfiltration and further network compromise. This year we have seen similar vulnerabilities being exploited by attackers uploading ransomware to affected machines, and it is possible these vulnerabilities will be exploited in a similar manner.

What to look for

How to tell if you're at risk

If your organisation is running Microsoft Exchange version 2013, 2016, or 2019 and has not yet applied the April 2021 security update, you are at risk. Microsoft has also released an “Exchange Server Health Checker” script that you can use to check your servers, detailed in the Microsoft Exchange team blog post. External Link

If you are using Exchange Online products, you are not affected and do not need to take any action.

What to do

Prevention

Apply the April 2021 security updates as soon as possible. The Microsoft Exchange team has written a blog post External Link with helpful information for administrators.

Updates released for new critical vulnerabilities in Microsoft Exchange