The National Security Agency (NSA) recently issued a warning to private industry about four zero-day vulnerabilities in Microsoft Exchange Server versions 2013, 2016, and 2019 used on-premises. The NSA recommends immediate patching of the vulnerabilities before they are exploited by threat actors.
The vulnerabilities could lead to remote execution of code that would allow threat actors to take full control of the Exchange Servers and have access to, and control of, entire networks. Two of the vulnerabilities can be exploited remotely without any user interaction (which means that there is no need for phishing or other types of scams to get employees to do something to introduce the code into the system). The NSA has rated the vulnerabilities as highly critical.
Following the discovery of the vulnerabilities, the Cybersecurity and Infrastructure Security Agency ordered patching of all federal agency on-premises affected Exchange Servers and has instructed agencies to remove from federal networks any servers that are unable to be patched.
Patches for the vulnerabilities were released this week by Microsoft on Patch Tuesday. IT professionals may wish to consider the warning by NSA when prioritizing those patches.