System scan (Robert Lucian Crusitu/

NSA spots new Exchange CVEs, Microsoft issues patches

The National Security Agency has helped identify two new vulnerabilities in on-premise Exchange servers, and Microsoft has released patches.

“We have not seen the vulnerabilities used in attacks against our customers,” according to a company blog post. “However, given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats.”

The two flaws -- CVE-2021-28480 and CVE-2021-28481 -- are both remote code execution vulnerabilities. They were reported by a security partner and found internally by Microsoft, the company said.

“NSA recently discovered a series of critical vulnerabilities in Microsoft Exchange and disclosed them to Microsoft,” an NSA spokesperson said. “Once we discovered the vulnerabilities, we initiated the disclosure process to secure the nation and our allies.”

Noting that the new CVEs are “separate and distinct” from four zero-day exploits found in March, “NSA urges immediate patching of the new vulnerabilities using Microsoft's April 13 patch Tuesday guidance,” the spokesperson said.

Microsoft in March announced that four zero-day exploits were found in its Exchange product and that the vulnerabilities were being actively exploited by a China-based threat actor dubbed “Hafnium.” The discovery prompted the Cybersecurity and Infrastructure Security Agency to issue an emergency directive ordering all federal civilian agencies to “update or disconnect” Microsoft Exchange products running on-premises.

Taken together with the campaign against SolarWinds, the two incidents have since become the primary subject for federal security officials and lawmakers at cybersecurity-focused public events and during congressional hearings.

This article was first posted to FCW, a sibling site to GCN.

About the Author

Justin Katz is a former staff writer at FCW.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected