Just in Time Bulletin: Four More Zero-day Vulnerabilities in Microsoft Exchange Server

We have covered the 4 zero-day vulnerabilities in the Microsoft Exchange Server back in March 3rd, 2021

There are additional Four more zero-day vulnerabilities – CVE-2021-28480, CVE-2021-28481, CVE-2021-28482 and CVE-2021-28483 – in Microsoft Exchange servers have been used in attacks in the wild.

What are CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483? 

CVE-2021-28480 and CVE-2021-28481 are pre-authentication vulnerabilities in Microsoft Exchange Server. A pre-authentication vulnerability means that an attacker does not need to authenticate to the vulnerable Exchange Server in order to exploit the vulnerability. All the attacker needs to do is perform reconnaissance against their intended targets and then send specially crafted requests to the vulnerable Exchange Server.

CVE-2021-28482 and CVE-2021-28483 are post-authentication vulnerabilities in Microsoft Exchange Server. These are only exploitable once an attacker has authenticated to a vulnerable Exchange Server. However, these flaws could be chained together with a pre-authentication Exchange Server vulnerability to bypass that requirement. 

How bad is this? 

CVECVSSv3 Score
CVE-2021-284809.8
CVE-2021-284819.8
CVE-2021-284828.8
CVE-2021-284839.0

Active exploitation today: Exploited in the wild

Severity: Critical

  • credentials not required
  • authentication bypass
  • results in Exchange controller compromise

Who is affected by this? 

All 4 vulnerabilities – CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483 –  effects below 5 servers:

  • Microsoft Exchange Server 2019 Cumulative Update 9
  • Microsoft Exchange Server 2019 Cumulative Update 8
  • Microsoft Exchange Server 2016 Cumulative Update 20
  • Microsoft Exchange Server 2016 Cumulative Update 19
  • Microsoft Exchange Server 2013 Cumulative Update 23

How are they exploited? 

Please review the Microsoft Security Advisory for the exploitation details. 

How do I protect myself? 

Microsoft has released patches to address all 4 vulnerabilities and they emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately to protect against these exploits and prevent future abuse across the ecosystem. 

NopSec strongly encourages organizations to apply these patches as soon as possible.

Additional Resources: