Active Exploitation of Microsoft Vulnerability

Microsoft released an out-of-band security updates to address vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. A remote attacker can exploit three remote code execution vulnerabilities—CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065—to take control of an affected system and can exploit one vulnerability—CVE-2021-26855—to obtain access to sensitive information. These vulnerabilities are being actively exploited in the wild.

For additional information on these vulnerabilities, please refer to the Cybersecurity and Infrastructure Security Agency’s (CISA) current activity alert.  CISA encourages users and administrators to review the Microsoft blog post and apply the necessary updates or workarounds.

In addition, CISA just issued Emergency Directive (ED) 21-02 requiring federal civilian executive branch departments and agencies running Microsoft Exchange on-premises products to update or disconnect the products from their networks until updated with the Microsoft patch.  The Directive is in response to observed active exploitation of these products using previously unknown vulnerabilities.  While this Directive only applies to federal civilian executive branch departments and agencies, CISA is sharing to all of our partners to take into consideration during internal risk mitigation conversations.

In addition to the current activity alert , CISA also issued a companion alert includes both tactics, techniques and procedures (TTPs) and the indicators of compromise (IOCs) associated with this malicious activity to encourage other public and private sector organizations to take steps to protect their networks.

Please contact CISA (via email at central@cisa.dhs.gov or by phone at 1-888-282-0870) to report an intrusion or to request either technical assistance or additional resources for incident response.

Cybersecurity and Infrastructure Security Agency
Defend Today Secure Tomorrow

Kyle Wolf MA, CPP
Protective Security Advisor – Kentucky
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
(C)202-573-6237
Kyle.wolf@hq.dhs.gov