CRITICAL Advisory: Microsoft Releases Out-of-Band Security Updates for Actively Exploited Exchange Server Zero-Day Bugs
Situation
Microsoft has released out-of-band security updates to address four zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) affecting Microsoft Exchange Server 2013, 2016, and 2019. These vulnerabilities have been seen being exploited in the wild.
Problem
These four zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) have been seen chained together to gain access to Microsoft Exchange servers, steal email, and plant further malware for increased access to the network. For the attack to work, a remote attackers would first need to access an Microsoft Exchange server on port 443. If access is available, the threat actors could then utilize four zero-day vulnerabilities to gain remote access to the affected system.
Implication
A remote attacker can exploit three remote code execution vulnerabilities (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to take control of an affected system and can exploit one vulnerability (CVE-2021-26855) to obtain access to sensitive information.
Need
Due to the severity of the attacks, Microsoft recommends that administrators install these updates immediately to protect Exchange servers from these attacks. Additional information can be found in the link below.
Microsoft security blog:
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
Additional details and CISA mitigtion info: