Microsoft has released urgent security fixes for Exchange Server 2013, 2016 and 2019 to address a remote code execution vulnerability which is being actively exploited in the wild.
The November 2021 security updates for Exchange Server fixes vulnerabilities that seems to be have been presented at Tianfu, the Chinese Pwn2Own contest, and also from internal research by Microsoft.
The flaw is a post-authentication vulnerability in Exchange 2016 and 2019 and Microsoft says they are aware of limited targeted attacks in the wild using one of vulnerabilities (CVE-2021-42321). They recommend that admins install the updates immediately to protect their environment.
The vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.
To check if you have already been infected run the following PowerShell query on your Exchange server to check for specific events in the Event Log:
Get-EventLog -LogName Application -Source “MSExchange Common” -EntryType Error | Where-Object { $_.Message -like “*BinaryFormatter.Deserialize*” }
More details about specific CVEs can be found in Security Update Guide (filter on Exchange Server under Product Family).
via BleepingComputer