Microsoft has released security updates for its Exchange on-premises email server software that businesses should take on board.
The security updates are for flaws in Exchange Server 2013, 2016, and 2019 — the on-premises versions of Exchange that were compromised earlier this year by the Beijing-backed hacking group that Microsoft calls Hafnium. Four vulnerabilities in on-premises Exchange server software were exploited, and now Microsoft has warned that one newly-patched flaw — tracked as CVE-2021-42321 — is also under attack.
The Exchange security updates were released as part of Microsoft’s November 2021 Patch Tuesday updates for Windows, the Edge browser, the Office suite, and other software products.
“The Exchange bug CVE-2021-42321 is a “post-authentication vulnerability in Exchange 2016 and 2019. Our recommendation is to install these updates immediately to protect your environment,” Microsoft said in a blog post about the new Exchange bugs.
“These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action,” Microsoft notes.
Attacks that affect users after authentication are risky because they affect users who have authenticated with legitimate but stolen credentials. Some post-authentication attacks can render two-factor