Critical update required for on-premises Exchange Servers due to Microsoft Exchange Server zero-day vulnerabilities

Microsoft just released a blog article about newly discovered  zero-day vulnerabilities in Microsoft Exchange Server that are actively being exploited. The affected versions exist in on-premises Exchange Servers 2010, 2013, 2016, and 2019. Exchange Online is not affected by these vulnerabilities. Since these zero-day vulnerabilities are actively being exploited by a nation-state affiliated group, Microsoft strongly advices any organization using any of the above mentioned on-premises versions of Exchange Server to apply the patches released to fix these issues.

Actions required

Impacted versions: on-premises Exchange Servers 2010, 2013, 2016, and 2019. 

Exchange Online is not affected.

Specifically, to minimize or avoid impacts of this situation, Microsoft highly recommends that you take immediate action to apply the patches for any on-premises Exchange deployments you have or are managing for a customer or advise your customer of the steps they need to take. The first priority being servers which are accessible from the Internet (e.g., servers publishing Outlook on the web/OWA and ECP).  
 
To patch these vulnerabilities, you should move to the latest Exchange Cumulative Updates and then install the relevant security updates on each Exchange Server.  
•    You can use the Exchange Server Health Checker script, which can be downloaded from GitHub (use the latest release). 
•    Running this script will tell you if you are behind on your on-premises Exchange Server updates (note that the script does not support Exchange Server 2010). 
•    We also recommend that your security team assess whether or not the vulnerabilities were being exploited by using the Indicators of Compromise we shared here

Exchange patch information

March 2, 2021 Security Update Release – Release Notes – Security Update Guide – Microsoft

  • CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability (public)
  • CVE-2021-26857 | Microsoft Exchange Server Remote Code Execution Vulnerability (public)
  • CVE-2021-26858 | Microsoft Exchange Server Remote Code Execution Vulnerability (public)
  • CVE-2021-27065 | Microsoft Exchange Server Remote Code Execution Vulnerability (public)