Attention: Microsoft has released an out-of-band security update addressing vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019.
Microsoft has released out-of-band security updates to address vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. A remote attacker can exploit three remote code execution vulnerabilities CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to take control of an affected system and can exploit one vulnerability CVE-2021-26855 to obtain access to sensitive information. These vulnerabilities are being actively exploited in the wild.
CISA encourages users and administrators to review the Microsoft blog post and apply the necessary updates or workarounds.
If you have Exchange in your environment, the Dean Dorton Cybersecurity team can assess if your Exchange servers have been compromised and advise you on steps you can take to mitigate these vulnerabilities.