NSA spots new Exchange CVEs, Microsoft issues patches
- By Justin Katz
- Apr 14, 2021
The National Security Agency has helped identify two new vulnerabilities in on-premise Exchange servers, and Microsoft has released patches.
“We have not seen the vulnerabilities used in attacks against our customers,” according to a company blog post. “However, given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats.”
The two flaws -- CVE-2021-28480 and CVE-2021-28481 -- are both remote code execution vulnerabilities. They were reported by a security partner and found internally by Microsoft, the company said.
“NSA recently discovered a series of critical vulnerabilities in Microsoft Exchange and disclosed them to Microsoft,” an NSA spokesperson said. “Once we discovered the vulnerabilities, we initiated the disclosure process to secure the nation and our allies.”
Noting that the new CVEs are “separate and distinct” from four zero-day exploits found in March, “NSA urges immediate patching of the new vulnerabilities using Microsoft's April 13 patch Tuesday guidance,” the spokesperson said.
Microsoft in March announced that four zero-day exploits were found in its Exchange product and that the vulnerabilities were being actively exploited by a China-based threat actor dubbed “Hafnium.” The discovery prompted the Cybersecurity and Infrastructure Security Agency to issue an emergency directive ordering all federal civilian agencies to “update or disconnect” Microsoft Exchange products running on-premises.
Taken together with the campaign against SolarWinds, the two incidents have since become the primary subject for federal security officials and lawmakers at cybersecurity-focused public events and during congressional hearings.
This article was first posted to FCW, a sibling site to GCN.
Justin Katz is a former staff writer at FCW.