Microsoft is releasing patches for multiple different on-premises Microsoft Exchange Server zero-day vulnerabilities that are being exploited by a nation-state affiliated group.
The vulnerabilities exist in on-premises Exchange Servers 2010, 2013, 2016, and 2019. Exchange Online is not affected.
To minimize or avoid impacts of this situation, Microsoft highly recommends immediate action to apply the patches for any on premises Exchange deployments you have. The first priority being servers which are accessible from the Internet (e.g., servers publishing Outlook on the web/OWA and ECP).
To patch these vulnerabilities, you should move to the latest Exchange Cumulative Updates and then install the relevant security updates on each Exchange Server.
We are committed to working with you through this issue. For additional help, please please contact our support team at This email address is being protected from spambots. You need JavaScript enabled to view it..
Exchange patch information:
• March 2, 2021 Security Update Release - Release Notes - Security Update Guide - Microsoft
• CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability (public)
• CVE-2021-26857 | Microsoft Exchange Server Remote Code Execution Vulnerability (public)
• CVE-2021-26858 | Microsoft Exchange Server Remote Code Execution Vulnerability (public)
• CVE-2021-27065 | Microsoft Exchange Server Remote Code Execution Vulnerability (public)
