Microsoft released patches on Tuesday for three versions of its Exchange Server email and calendar software that businesses use in on-premises data centers, and the federal government has ordered all agencies to install them, warning that the vulnerabilities being patched ” pose an unacceptable risk to the federal corporation and require immediate and emergency action. “
The updates come a month after Microsoft took action to respond to attacks on other Exchange Server flaws, which the company said were exploited by Chinese hackers. But unlike last time, Microsoft said in a blog post that it has not yet observed any exploits of the newly discovered holes.
Nevertheless, the widespread use of Exchange and the importance of email in general has prompted the federal government to sound the alarm.
In a directive on Tuesday, the US Cybersecurity and Infrastructure Security Agency noted that these vulnerabilities “differ from those disclosed and fixed in March 2021” and ordered all government agencies to deploy the patches by Friday.
“Given the powerful privileges that Exchange manages by default and the amount of potentially sensitive information stored on Exchange servers managed and hosted by (or on behalf of) federal agencies, Exchange servers are a primary target for hostile activity,” CISA wrote. “This finding is based on the likelihood that the vulnerabilities will be weaponized, combined with the widespread use of the affected software in the executive branch and a high potential for compromising the integrity and confidentiality of agency information.”
The new patches apply to the 2013, 2016 and 2019 versions of Exchange Server.
The company said organizations using the cloud-based Exchange Online service included in Microsoft 365 subscription bundles are already protected.
Microsoft gave credit to the US National Security Agency for reporting the new vulnerabilities.