Microsoft patches new Exchange CVEs, credits NSA with discovery

open lock (Alexander Softog/ 

Microsoft on Tuesday released patches for two newly discovered vulnerabilities in on-premise Exchange servers, separate from zero-day exploits found in March, and the company is crediting the National Security Agency with identifying the flaws.

“These new vulnerabilities were reported by a security partner through standard coordinated vulnerability disclosure and found internally by Microsoft,” according to a company blog post. “We have not seen the vulnerabilities used in attacks against our customers. However, given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats.”

The two flaws -- CVE-2021-28480 and CVE-2021-28481 -- are both remote code execution vulnerabilities.

“NSA recently discovered a series of critical vulnerabilities in Microsoft Exchange and disclosed them to Microsoft,” an NSA spokesperson said. “Once we discovered the vulnerabilities, we initiated the disclosure process to secure the nation and our allies.”

 “NSA urges immediate patching of the new vulnerabilities using Microsoft's April 13 patch Tuesday guidance,” the spokesperson said, and noted that the new CVEs are “separate and distinct” from four zero-day exploits found in March.

Microsoft in March announced that four zero-day exploits were found in its Exchange product and that the vulnerabilities were being actively exploited by a China-based threat actor dubbed “Hafnium.” The discovery prompted the Cybersecurity and Infrastructure Security Agency to issue an emergency directive ordering all federal civilian agencies to “update or disconnect” Microsoft Exchange products running on-premises.

Taken together with the campaign against SolarWinds, the two incidents have since become the primary subject for federal security officials and lawmakers at cybersecurity-focused public events and during congressional hearings.

About the Author

Justin Katz is a former staff writer at FCW.


  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected