Agencies Have Till Midnight April 15 to Apply New Microsoft Exchange Patches

By one minute past midnight on April 15, federal agencies must have patched new vulnerabilities identified in Microsoft’s on-premises Exchange servers, the Cybersecurity and Infrastructure Security Agency said. 

“Microsoft Exchange Servers that cannot be updated within the deadline above must be immediately removed from agency networks,” reads a supplement to the directive CISA released Tuesday.

The directive also requires federal agencies’ chief information officer equivalents to report completion of the newly required actions to CISA by noon on Friday. 

“These vulnerabilities are different from the ones disclosed and fixed in March 2021—the security updates released in March 2021 will not remediate against these vulnerabilities,” CISA said. “Given the powerful privileges that Exchange manages by default and the amount of potentially sensitive information that is stored in Exchange servers operated and hosted by (or on behalf of) federal agencies, Exchange servers are a primary target for adversary activity.”

The updated directive follows suggestions from Microsoft and the National Security Agency that organizations prioritize fixing four vulnerabilities the agency found in the company’s on-premises Exchange Servers that would allow an adversary to remotely execute code on a victim’s systems. 

"Cybersecurity is national security,” NSA Cybersecurity Director Rob Joyce said in an email linking to a Microsoft blog post on the vulnerabilities Tuesday. “Network defenders now have the knowledge needed to act, but so do adversaries and malicious cyber actors. Don't give them the opportunity to exploit this vulnerability on your system."

Every month Microsoft releases fixes for vulnerabilities they or outside groups and individuals find on their systems. The process sets off a race between defenders to update systems and attackers who can reverse engineer the patches to attack entities that haven’t applied them. This month’s release contained a total of 95 vulnerabilities.

An NSA spokesperson touted the agency's commitment to revealing vulnerabilities it finds, as opposed to keeping them secret to use as weapons in offensive operations, a practice the agency has taken heat for in the past.

"Once we discovered the vulnerabilities, we initiated the disclosure process to secure the nation and our allies,” the spokesperson said. “After we disclosed these vulnerabilities to Microsoft, they promptly created a patch. NSA values partnership in the cybersecurity community. No one organization can secure their networks alone. We don't want to just preach partnership—we practice it—and show our work. We are continuing the partnership by urging application of the patches immediately."

Microsoft said it hasn’t seen active exploitation of the vulnerabilities but urged customers to prioritize them given recent activity targeting Exchange servers, which spurred CISA’s initial directive. 

“This month’s release includes a number of critical vulnerabilities that we recommend you prioritize, including updates to protect against new vulnerabilities in on-premise Exchange Servers,” the blog post reads. “We have not seen the vulnerabilities used in attacks against our customers. However, given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats.”