If you are administering an on-premise Exchange Server (2013, 2016, 2019) you need to urgently apply a set of patches Microsoft released today for vulnerabilities in the OS which are being actively exploited.
The vulnerabilities have a severity score of 9.1 and are very easy to exploit.
“These flaws are very easy to exploit,” said Volexity President Steven Adair, who discovered the holes. “You don’t need any special knowledge with these exploits. You just show up and say ‘I would like to break in and read all their email.’ That’s all there is to it.”
CVE-2021-26855 is a “server-side request forgery” (SSRF) flaw, in which a server can be tricked into running commands that it should never have been permitted to run, such as authenticating as the Exchange server itself.
The attackers used CVE-2021-26857 to run code of their choice under the “system” account on a targeted Exchange server. The other two zero-day flaws — CVE-2021-26858 and CVE-2021-27065 — could allow an attacker to write a file to any part of the server.
Microsoft says a state-sponsored Chinese hacker group they dubbed Hafnium have been exploiting the flaws, but now that it has been released any run of the mill hacker could not take over your network.
Hosted Exchange servers are not affected.