On April 13, Microsoft released its monthly patches for vulnerabilities found within their products. In their release announcement, Microsoft strongly recommends prioritizing the CVE 2021 28481 security update which affects Exchange servers 2013, 2016, and 2019. This vulnerability allows hackers access to mailboxes to read or even exfiltrate sensitive information.
Microsoft stated, "We have not seen the vulnerability used in attacks against our customers. However, given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats. Customers using Exchange Online are already protected and do not need to take any action. More information on installing these updates is available in our Exchange Release blog."
This vulnerability is separate from the Zero Day Exchange vulnerabilities we reported in March.
Course of Action
Following Microsoft's recommendations, Systems Engineering applied the critical security updates to our managed patching clients who have affected on-premises Exchange servers.
For our clients who do not subscribe to a Systems Engineering patching service and have an affected on-premises Exchange server, we recommend applying the security update as soon as possible.
If you have questions about this security alert, please reach out to your Account Manager.