Microsoft patches new Exchange CVEs, credits NSA with discovery

Microsoft on Tuesday released patches for two newly discovered vulnerabilities in on-premise Exchange servers, separate from zero-day exploits found in March, and the company is crediting the National Security Agency with identifying the flaws.

“These new vulnerabilities were reported by a security partner through standard coordinated vulnerability disclosure and found internally by Microsoft,” according to a company blog post. “We have not seen the vulnerabilities used in attacks against our customers. However, given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats.”

The two flaws -- CVE-2021-28480 and CVE-2021-28481 -- are both remote code execution vulnerabilities.

“NSA recently discovered a series of critical vulnerabilities in Microsoft Exchange and disclosed them to Microsoft,” an NSA spokesperson said. “Once we discovered the vulnerabilities, we initiated the disclosure process to secure the nation and our allies.”

 “NSA urges immediate patching of the new vulnerabilities using Microsoft's April 13 patch Tuesday guidance,” the spokesperson said, and noted that the new CVEs are “separate and distinct” from four zero-day exploits found in March.

Microsoft in March announced that four zero-day exploits were found in its Exchange product and that the vulnerabilities were being actively exploited by a China-based threat actor dubbed “Hafnium.” The discovery prompted the Cybersecurity and Infrastructure Security Agency to issue an emergency directive ordering all federal civilian agencies to “update or disconnect” Microsoft Exchange products running on-premises.

Taken together with the campaign against SolarWinds, the two incidents have since become the primary subject for federal security officials and lawmakers at cybersecurity-focused public events and during congressional hearings.