has published an update for Exchange Server during the November patch day. According to the company, the vulnerability with the identifier CVE-2021-42321 is already under attack – and attacks may be successful despite an activated two-step login.
“The Exchange bug CVE-2021-42321 is a post-authentication vulnerability in Exchange 2016 and 2019. Our recommendation is to install these updates immediately to protect your environment,” Microsoft writes in a blog post about the new Exchange -Bugs. “This vulnerability affects on-premise Microsoft Exchange Servers, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action. ”
Microsoft confirmed that two-factor authentication (2FA) does not necessarily protect against attacks that exploit the new Exchange vulnerabilities, especially if an account has already been compromised. “If the authentication is successful (2FA or not), CVE-2021-42321 could be exploited,” says Microsoft program manager Nino Bilic. “But in fact, 2FA can make authentication more difficult, so it can ‘help’ in that regard. But let’s say there is an account with 2FA that has been compromised – well, in that case it wouldn’t make any difference, ”adds Bilic.
Microsoft recommends installing the updates as soon as possible.