The National Security Agency (NSA) recently issued a warning to private industry about four zero-day vulnerabilities in Microsoft Exchange Server versions 2013, 2016, and 2019 used on-premises. The NSA recommends immediate patching of the vulnerabilities before they are exploited by threat actors.

The vulnerabilities could lead to remote execution of code that would allow threat actors to take full control of the Exchange Servers and have access to, and control of, entire networks. Two of the vulnerabilities can be exploited remotely without any user interaction (which means that there is no need for phishing or other types of scams to get employees to do something to introduce the code into the system). The NSA has rated the vulnerabilities as highly critical.

Following the discovery of the vulnerabilities, the Cybersecurity and Infrastructure Security Agency ordered patching of all federal agency on-premises affected Exchange Servers and has instructed agencies to remove from federal networks any servers that are unable to be patched.

Patches for the vulnerabilities were released this week by Microsoft on Patch Tuesday. IT professionals may wish to consider the warning by NSA when prioritizing those patches.

In a rare sharing of information about vulnerabilities in a blog post, Microsoft this week urged customers to download software patches to Microsoft Exchange Server after it detected “multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.”

According to Microsoft’s Threat Intelligence Center, “[W]e are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately.” In the attacks Microsoft has observed, “the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.”

According to the blog post, the vulnerabilities being exploited were from state sponsored actors operating out of China.

The vulnerabilities being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Microsoft issued a patch, which can be accessed here.


The post includes information on the threat actor, HAFNIUM, which has been behind numerous malicious exploits against “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”

The vulnerabilities detected by Microsoft affect Microsoft Exchange Server 2013, 2016, and 2019. If your company is running any of these versions, please consult Microsoft’s instructions on patching.