NSA Helps Out Microsoft With Critical Exchange Server Vulnerability Disclosures

April showers bring hours of patches as Microsoft delivers its Patch Tuesday fun-fest consisting of over a hundred CVEs, including four Exchange Server vulnerabilities reported to the company by the US National Security Agency (NSA). The Register reports: Forty-four different products and services are affected, mainly having to do with Azure, Exchange Server, Office, Visual Studio Code, and Windows. Among the vulnerabilities, four have been publicly disclosed and a fifth is being actively exploited. Nineteen of the CVEs have been designated critical. 'This month's release includes a number of critical vulnerabilities that we recommend you prioritize, including updates to protect against new vulnerabilities in on-premise Exchange Servers,' Microsoft said in its blog post. 'These new vulnerabilities were reported by a security partner through standard coordinated vulnerability disclosure and found internally by Microsoft. We have not seen the vulnerabilities used in attacks against our customers.

Clicking through Microsoft's coy links to CVE-2021-28480 (9.8 severity), CVE-2021-28481 (9.8 severity), CVE-2021-28482 (8.8 severity), and CVE-2021-28483 (9.0 severity), you'll find the unspecified security partner is the NSA. Exchange Server 2013 CU23, Exchange Server 2016 CU19 and CU20, and Exchange Server 2019 CU8 and CU9 are affected by this set of problems. 'NSA urges applying critical Microsoft patches released today, as exploitation of these #vulnerabilities could allow persistent access and control of enterprise networks,' the signals intelligence agency said via Twitter.

Read more of this story at Slashdot.