Blog / “Zero-day” security vulnerability discovered on Microsoft Exchange servers
On Tuesday March 2nd Microsoft released notice of a “zero-day” security vulnerability discovered in Exchange Server 2010, 2013, 2016 and 2019.
Zero-day vulnerabilities are vulnerabilities in software that have been present since initial release of the software. These vulnerabilities are often discovered after they are exploited for malicious purposes and there is little defense against them until a security patch can be deployed.
The vulnerability is a “critical” vulnerability that can allow an attacker to access all email on an organization’s Exchange Server over the internet without administrator credentials. Microsoft has determined that this vulnerability has been exploited against a small number of high-profile organizations by a Chinese backed hacking group, though there is no evidence that this vulnerability has been widely exploited by other groups of hackers.
In conjunction with this announcement, Microsoft has released security updates to correct the vulnerability and documentation detailing the vulnerability and the associated fix. These updates require that an Exchange Server be updated to the most recent “Cumulative update” version (CU) before they can be applied.
This vulnerability does NOT impact Office 365 email services. However, organizations that have an on-premises exchange server deployed in a hybrid configuration with Office 365 are still required to update to protect against this vulnerability.
Trinus is treating this vulnerability with the utmost urgency and will be applying these updates to our hosted email infrastructure ASAP.
If you have any questions regarding this vulnerability to the Trinus response, please feel free to contact us.