Four Critical Microsoft Exchange Server Vulnerabilities Patched in April

This month’s Patch Wednesday release addressed 108 CVEs, 19 of which are rated critical. This is the first time in 2021 that Microsoft patched over 100 CVEs. They’ve addressed 329 CVEs so far in 2021. Following last month’s out-of-band update addressing four critical zero-days in Microsoft Exchange Server that were exploited in the wild, including ProxyLogon, Microsoft patched four more critical Exchange Server vulnerabilities this month: CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483. All four are credited to the National Security Agency, with two also being discovered by Microsoft internally. Here’s a comment from Satnam Narang, Staff Research Engineer, Tenable.

“These vulnerabilities have been rated “Exploitation More Likely” using Microsoft’s Exploitability Index. Two of the four vulnerabilities (CVE-2021-28480, CVE-2021-28481) are pre-authentication, meaning an attacker does not need to authenticate to the vulnerable Exchange server to exploit the flaw. With the intense interest in Exchange Server since last month, it is crucial that organisations apply these Exchange Server patches immediately. Microsoft also patched CVE-2021-28310, a Win32k Elevation of Privilege vulnerability that was exploited in the wild as a zero-day.

“Exploitation of this vulnerability would give the attacker elevated privileges on the vulnerable system. This would allow an attacker to execute arbitrary code, create new accounts with full privileges, access and/or delete data and install programs. Elevation of Privilege vulnerabilities are leveraged by attackers post-compromise, once they’ve managed to gain access to a system in order to execute code on their target systems with elevated privileges.” — Satnam Narang, Staff Research Engineer, Tenable