The US National Security Agency is warning that Microsoft Exchange Server has four serious vulnerabilities that can be exploited to take over company networks.
The NSA helped Microsoft uncover the software flaws, which affect Exchange Server 2013, 2016, and 2019. But whether the government agency ever exploited the vulnerabilities for its own purposes remains unclear.
On Tuesday, Microsoft released patches to fix the problem. In a blog post, the company added: “Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment.” (The blog post and this support document have more details on how to install the patches.)
The vulnerabilities pose a major threat to enterprises and government groups that rely on Exchange Server to handle their emails. However, Exchange Online is not affected.
According to Microsoft, all four vulnerabilities involve a “low” attack complexity, and can lead to remote code execution, enabling a hacker to potentially download and run malware on a company server.
“An attacker could exploit these vulnerabilities to gain access and maintain persistence on the target host,” the US Cybersecurity and Infrastructure Security Agency (CISA) added in a public notice. The agency also ordered all federal departments to install the patches immediately.
“Cybersecurity is a top priority for the Biden Administration and we’re committed to sharing actionable and timely information to help the American public operate safely online,” said Anne Neuberger, National Security Advisor for Cyber & Emerging Technologies.
Microsoft is warning that hackers will try to exploit the vulnerabilities before companies install the fixes. Hence, the software giant is urging clients to act fast, and enable the automatic updates for Exchange Server, if they haven’t already. In addition, Microsoft has created a computer script customers can run to check whether any Exchange Servers are behind on updates.
The NSA-discovered flaws emerge a month after Microsoft disclosed a separate set of Exchange Server flaws that it claimed Chinese hackers were exploiting for spying purposes. A week later, security researchers noticed at least 10 hacking groups were leveraging the flaws to infiltrate computer systems across the globe.