Once again, several critical Microsoft Exchange Server vulnerabilities have been found. Two of them give attackers access to a server without having to log in. Patches for the vulnerabilities are available.
Microsoft has been notified of the new Exchange vulnerabilities by the National Security Agency. It concerns the following four vulnerabilities:
The first two vulnerabilities allow remote attackers to run code on the compromised server without having to log in first. These are the two most critical bugs. To exploit the latter two vulnerabilities, an attacker first needs basic access rights, and the last one only works from a local network.
No known abuse
In a blog post, Microsoft states that, as far as the company knows, no attackers have yet exploited the vulnerabilities. Nevertheless, the company urges to install the available patches as soon as possible. The patches are available for Exchange Server 2013 CU23, Server 2016 CU19 and CU20 and Server 2019 CU8 and CU9. Microsoft has shared a script on GitHub that allows administrators to check whether they are behind on security updates. If so, administrators can follow the steps in this wizard.
Second batch in vulnerabilities in just a few months
It is the second time in a few months that critical vulnerabilities have been found in Exchange with which attackers could take over the server. The first vulnerabilities were found and exploited last autumn, even before Microsoft had a patch ready. After Microsoft released the patch, the exploits were suddenly shared widely online, leading to a wave of attacks. Microsoft then tried with all its might to convince administrators to patch their servers, as it was only a matter of time that unpatched servers would be hacked.
The fact that more vulnerabilities in Exchange are found so quickly is probably due to the fact that the previous leaks were so serious. It is likely that various security experts have started to examine the software more closely, as a result of which new vulnerabilities are being discovered at a rapid pace.