icetray - Fotolia

NSA finds new Exchange Server vulnerabilities

Microsoft said it has not seen the new Exchange Server vulnerabilities being used in attacks against customers, but customers are still advised to patch immediately.

Four new Microsoft Exchange Server vulnerabilities, three of which are critical, were disclosed and patched Tuesday.

The vulnerabilities, which were reported to Microsoft by the U.S. National Security Agency (NSA), are separate from those disclosed in early March. While those vulnerabilities, led by ProxyLogon, were widely exploited at disclosure and even months before, Microsoft said in a blog post that they "have not seen the vulnerabilities used in attacks against our customers."

The vulnerabilities patched include CVE-2021-28480, CVE-2021-28481, CVE-2021-28482 and CVE-2021-28483. All four are remote code execution (RCE) vulnerabilities, and carry Common Vulnerability Scoring System (CVSS) base scores ranging from 8.8 to 9.8. Three of the vulnerabilities are considered critical with CVSS scores of 9.0 or higher, while one, CVE-2021-28482, missed by the critical mark by 0.2 points.

In response to the updates, the NSA posted a tweet urging users to apply Tuesday's new patches, and Microsoft published a post for Exchange Server customers with an FAQ and patching instructions.

Among other points, the FAQ notes that because these new vulnerabilities are distinct from those disclosed in March, security mitigation tools released for previous vulnerabilities will not mitigate the latest flaws.

Microsoft declined SearchSecurity's request for comment, and the NSA has not responded at press time.

The NSA and federal government had come under criticism in recent years from the infosec community for failing to disclose vulnerabilities and exploits in the past and instead hoarding them for offensive cyber operations. Notable exploits included EternalBlue, which uses a zero-day vulnerability in Microsoft's Server Message Block protocol.

EternalBlue and other exploits were exposed to the public by the mysterious hacking group known as the Shadow Brokers; EternalBlue was later used by threat actors in the WannaCry ransomware attacks in 2017, which caused massive global disruptions and billions of dollars in damages. 

These four RCE vulnerabilities could lead to further threats for Exchange Server customers, including ransomware attacks. Nearly a month and a half later, questions remain about both the scope and timeline of the attacks that exploited the initial Exchange vulnerabilities.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Next Steps

Neuberger calls for shift in software supply chain security

Dig Deeper on Application and platform security