Written byTracey Pretorius, Senior Director, Global Partner Strategy, One Commercial Partner
On Tuesday, March 2, 2021, Microsoftreleased security updatesfor multiple on–premises Microsoft Exchange Server zero-day vulnerabilities that are being exploited by a nation-state affiliated group that we are callingHafnium. The vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.
The versions affected are:
Microsoft Exchange Server 2013
Microsoft Exchange Server 2016
Microsoft Exchange Server 2019
Microsoft Exchange Server 2010 is being updated for Defense in Depth purposes.
To minimize or avoid impacts of this situation, Microsoft highly recommends that you take immediate action to apply the updates for any on-premises Exchange deployments you have or are managing for a customer or advise your customer of the steps they need to take. The priority being servers which are accessible from the Internet (for example, servers publishing Outlook on the web/OWA and ECP).
Further information and guidance
Please ensure you keep reading the Microsoft Security Response Center and Exchange Team blogs for the latest information.