Written by Tracey Pretorius, Senior Director, Global Partner Strategy, One Commercial Partner

On Tuesday, March 2, 2021, Microsoft released security updates for multiple on–premises Microsoft Exchange Server zero-day vulnerabilities that are being exploited by a nation-state affiliated group that we are calling Hafnium. The vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.

The versions affected are:

• Microsoft Exchange Server 2013
• Microsoft Exchange Server 2016
• Microsoft Exchange Server 2019
• Microsoft Exchange Server 2010 is being updated for Defense in Depth purposes.

To minimize or avoid impacts of this situation, Microsoft highly recommends that you take immediate action to apply the updates for any on-premises Exchange deployments you have or are managing for a customer or advise your customer of the steps they need to take. The priority being servers which are accessible from the Internet (for example, servers publishing Outlook on the web/OWA and ECP).

Further information and guidance

Please ensure you keep reading the Microsoft Security Response Center and Exchange Team blogs for the latest information.

• Microsoft Security Response Center blog
• Exchange Team blog
• Hafnium Targeting Exchange
• Microsoft on the Issues
• CVE-2021-26855
• CVE-2021-26857
• CVE-2021-26858
• CVE-2021-27065

Not related to known attacks

• CVE-2021-26412
• CVE-2021-26854
• CVE-2021-27078