Microsoft has released patches for four critical vulnerabilities being used to target on-premises versions of Microsoft Exchange Server in “limited and targeted” attacks. It attributes the activity to a group called Hafnium, which officials believe is state-sponsored and operates out of China.
The zero-days recently exploited include CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Microsoft urges customers to update their on-premises systems with the patches “immediately” and says these flaws affect Microsoft Exchange Server versions 2013, 2016, and 2019. Exchange Online is not affected.
In the technical details of a blog post shared today, Microsoft says CVE-2021-26855 is a server-side request (SSRF) vulnerability that allows an attacker to send arbitrary HTTP requests and then authenticate as the Exchange server. CVE-2021-26857…