Microsoft Exchange Server Patching Necessary to Address 4 New Critical Flaws

by | Apr 27, 2021

Four new zero-day vulnerabilities in Microsoft Exchange Server versions 2013, 2016, and 2019 have been discovered by the U.S. National Security Agency (NSA).

These versions of Microsoft Exchange Server must be patched as soon as possible to avoid the possibility of the vulnerabilities being targeted by cybercriminals.

A directive has already been released by the Cybersecurity and Infrastructure Security Agency (CISA) for all federal bodies to patch all vulnerable on-premises Exchange Servers no later than 12.01 AM on Friday April 16, 2021 due to the high risk of the weaknesses being targeted. To date there has been no evidence of the vulnerability being successfully exploited in the wild. However, there remains the chance that any infiltrated body has yet to make such a breach been public.

By targeting the vulnerabilities hackers could potentially complete remote execution of arbitrary code in order to take management of vulnerable Exchange Servers as well as persistent access and control of enterprise networks.

Two of the flaws can be exploited remotely by unauthenticated individuals with no user interaction necessary. Both of those flaws, tracked as CVE-2021-28480 and CVE-2021-28481, have been given a CVSS v3.1 rating of 9.8 out of 10. The third flaw, CVE-2021-28483 has been assigned a CVSS rating of 9.0 out of 10, and the fourth, CVE-2021-28482, a rating of 8.8 out of 10.

Should any susceptible Microsoft Exchange Servers remain unpatched prior to the Friday deadline, CISA has instructed federal agencies to remove those servers from federal networks until such time as the patches have been carried out. Technical and/or management controls must be configured to ensure newly provisioned and previously disconnected endpoints are patched before connecting them to agency networks. CIOs or equivalents are required to file a report to CISA by Noon ET on Friday confirming that all vulnerable Exchange Servers have been patched or disconnected, and should any cyber incidents be discovered, Indicators of Compromise must be made known to CISA.

Patches to address all four flaws were made available by Microsoft on April 2021 Patch Tuesday, along with patches for an additional 15 critical flaws across its product suite and 88 flaws that were rated important. One zero-day vulnerability has been patched – a Win32K elevation of privilege vulnerability: CVE-2021-28310 – which Kaspersky is of the belief that it is being actively exploited in the wild by a minimum of one threat group.

Along with browser exploits, hackers can escape sandboxes and obtain system management permissions for more access. Exploitation would permit the remote execution of arbitrary code, the creation of new accounts with full privileges, information disclosure and destruction, and the ability to download new software.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy