A Zero-day CVE-2021-26857 among other critical vulnerabilities fixed with the latest Exchange Server update

Hello everyone,

Several security updates have been released in Microsoft Exchange Server to address vulnerabilities exploited in limited attacks. Noteworthy among these vulnerabilities is the Zero-day with the ID - CVE-2021-26857. This is a remote code execution vulnerability with a functional exploit code.

This vulnerability is part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. However, other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file.

Versions affected: The following versions of Microsoft Exchange Server are compromised while Exchange Online remains unaffected. Microsoft Exchange Server 2010 is being updated for Defense in Depth purposes.

Microsoft Exchange Server 2013
Microsoft Exchange Server 2016
Microsoft Exchange Server 2019

The other vulnerabilities addressed are as follows:

To fix these vulnerabilities, install the out of band updates released as soon as possible. Initiate a sync between the Central Patch Repository and the Desktop Central server. Once synced, search for the following Patch IDs and deploy them to your target systems.

Patch ID	Bulletin ID	Patch Description
30930	MS21-FEB18	Security Update For Exchange Server 2013 CU23 (KB5000871)
30931	MS21-FEB18	Security Update For Exchange Server 2016 CU18 (KB5000871)
30932	MS21-FEB18	Security Update For Exchange Server 2016 CU19 (KB5000871)
30933	MS21-FEB18	Security Update For Exchange Server 2019 CU7 (KB5000871)
30934	MS21-FEB18	Security Update For Exchange Server 2019 CU8 (KB5000871)
30935	MS21-FEB18	Update Rollup 32 For Exchange 2010 SP3 (KB5000978)
31069	MS21-MAR8	Security Update For Exchange Server 2016 CU14 (KB5000871)
31070	MS21-MAR8	Security Update For Exchange Server 2016 CU15 (KB5000871)
31071	MS21-MAR8	Security Update For Exchange Server 2016 CU16 (KB5000871)
31072	MS21-MAR8	Security Update For Exchange Server 2019 CU4 (KB5000871)
31073	MS21-MAR8	Security Update For Exchange Server 2019 CU5 (KB5000871)
31074	MS21-MAR8	Security Update For Exchange Server 2019 CU6 (KB5000871)
31075	MS21-MAR8	Security Update For Exchange Server 2013 CU21 (KB5000871)
31076	MS21-MAR8	Security Update For Exchange Server 2013 CU 22 (KB5000871)
31077	MS21-MAR8	Security Update For Exchange Server 2016 CU12 (KB5000871)
31078	MS21-MAR8	Security Update For Exchange Server 2016 CU13 (KB5000871)
31079	MS21-MAR8	Security Update For Exchange Server 2016 CU17 (KB5000871)
31080	MS21-MAR8	Security Update For Exchange Server 2019 CU3 (KB5000871)
31081	MS21-MAR8	Security Update For Exchange Server 2016 CU10 (KB5000871)
31082	MS21-MAR8	Security Update For Exchange Server 2016 CU11 (KB5000871)
31083	MS21-MAR8	Security Update For Exchange Server 2019 RTM (KB5000871)
31084	MS21-MAR8	Security Update For Exchange Server 2019 CU1 (KB5000871)
31085	MS21-MAR8	Security Update For Exchange Server 2019 CU2 (KB5000871)
31086	MS21-MAR8	Security Update For Exchange Server 2016 CU8 (KB5000871)
31087	MS21-MAR8	Security Update For Exchange Server 2016 CU9 (KB5000871)

Note: The patches mentioned here will only be applicable if the respective cumulative updates have already been installed.

For example: Patch 30930 will only be shown missing in systems that have Exchange Server 2013 installed and the Cumulative Update 23 (CU 23) installed.

Cheers,

The ManageEngine Team