The Cybersecurity and Infrastructure Security Agency (CISA) partners have observed active exploitation of vulnerabilities in Microsoft Exchange on-premises products. Please review CISA issued ED 21-02 for Microsoft Exchange on-premises products to update or disconnect the products from their networks until updated with the Microsoft patch.
The seriousness of this vulnerability cannot be overstated; the exploitation of it is widespread and is indiscriminate. This vulnerability is already being actively exploited in many thousands of systems and could allow criminal actors to engage in acts threatening to the continuity of operations, such as ransomware, even after patching Microsoft Exchange.
Everyone using Microsoft Exchange on-premise products needs to immediately:
- Check for signs of compromise;
- If evidence of compromise is found, assume that your organization's network identity has been compromised and begin incident response procedures;
- Patch Microsoft Exchange with the vendor released patches;
- If unable to patch immediately or remove the Microsoft Exchange from the network immediately, CISA strongly recommends following alternative mitigations found in Microsoft's blog on Exchange Server Vulnerabilities Mitigations. This should not be taken as an adequate solution for patching.
Please immediately speak with your IT officials to determine what steps your organization has taken, and if your organization does not have the technical capability to verify network integrity, please consider bringing in a third party to assist you as soon as possible.
Contact: Paul Penna, Legislative Analyst, firstname.lastname@example.org, 609 695-3481, x110.