The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to install newly released Microsoft Exchange security updates by Friday. Today, Microsoft released security updates for four Microsoft Exchange vulnerabilities discovered by the NSA. These Exchange vulnerabilities are capable of remote code execution, with two vulnerabilities not requiring attackers to authenticate first. While none of the vulnerabilities are known to be used in attacks, CISA believes that threat actors will reverse engineer the patches to create working exploits due to their severity and public disclosure. While none of these vulnerabilities are known to be used in attacks, due to their severity and public disclosure, CISA believes that threat actors will reverse engineer the patches to create working exploits. To prevent another widescale attack on Microsoft Exchange servers, CISA has updated their previously released mergency Directive 21-02 to require all federal agencies to install today’s security updates by 12:01 AM on Friday, April 16th, 2021.
