IMPORTANT UPDATE:
An additional Microsoft Exchange advisory for on-prem servers has been issued April 13, as part of the April 2021 Patch Tuesday release.
Microsoft addressed four critical vulnerabilities in Microsoft Exchange Server. Two of these flaws can be exploited by remote, unauthenticated attackers without the need for any user interaction. The recommendation is to apply patches immediately based on the likelihood of these vulnerabilities being weaponized. Threat actors will move quickly to utilize these vulnerabilities.
| CVE | Vulnerability Type | CVSSv3 |
|---|---|---|
| CVE-2021-28480 | Remote Code Execution | 9.8 |
| CVE-2021-28481 | Remote Code Execution | 9.8 |
| CVE-2021-28482 | Remote Code Execution | 8.8 |
| CVE-2021-28483 | Remote Code Execution | 9.0 |
Similar to last month’s out of band security update, these latest Exchange Server vulnerabilities affect only on-premises versions of Microsoft Exchange Server; Microsoft Exchange Online is not affected by these flaws.