The Federal Office for Information Security (BSI) has issued a security warning for Microsoft’s corporate software Exchange Server. Those affected should install patches as soon as possible to eliminate the vulnerabilities.
Microsoft released patches for several security holes in its Exchange servers on Tuesday. Exchange Server is Microsoft’s corporate e-mail and calendar platform. According to Microsoft, the US National Security Agency (NSA) became aware of the vulnerabilities and reported them to the company.
New vulnerabilities in Microsoft Exchange still unused
The company writes in a post on its security blog : “The vulnerabilities were reported by a security partner through the standard, coordinated disclosure of vulnerabilities and found internally by Microsoft.” It goes on to say: “We saw no exploitation of the weak points in attacks against our customers”. The company still recommends installing the security patches as soon as possible. The reason for this is not least the increased vulnerability of the Microsoft Exchange server, triggered by the security debacle last month.
Microsoft points out in its post that it is important to install security updates as soon as possible. Because as soon as the vulnerabilities are known, hacking groups often try to exploit them quickly before those affected have installed the updates.
Also interesting: Anyone who knows your cell phone number can block your WhatsApp account
Federal agency issues warning
The BSI rates the vulnerability as level 2 – also level yellow. This means an “IT threat situation with increased observation of anomalies with temporary impairment of regular operations.” The vulnerabilities are CVE-2021-28480, CVE-2021-28481, CVE-2021-28482 and CVE-2021-28483. The first two allow code to be executed remotely.
According to the BSI, the vulnerabilities are not yet public. In its warning , however, the authority writes: “Since Exchange servers are currently in the special focus of attackers [sic], there is a high probability that they will be exploited soon.” The authority therefore also recommends installing the security patches as soon as possible. The patches are available from BSI for Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019.
Also interesting: Don’t charge your smartphone in bed at night!
Not related to the security debacle in March
It was not until March that glaring vulnerabilities in Microsoft Exchange Server became known. Thousands of private companies and federal agencies were affected. At that time Microsoft announced that a Chinese hacker group called “Hafnium” was actively exploiting four unpatched vulnerabilities in Microsoft Exchange. Some companies had to shut down email traffic for a long time to see if their servers were infected.
According to Microsoft, the current security vulnerabilities are not related to the March threats.