Government agencies must update Microsoft Exchange as feds warn of 'unacceptable' security risk

Key Points
  • Microsoft on Tuesday issued new patches for the 2013, 2016 and 2019 versions of Exchange.
  • CISA ordered all federal agencies to deploy the patches by Friday, saying the vulnerabilities pose an "unacceptable" risk.
  • Unlike patches issued in March, which fixed gaps that had been exploited by Chinese hackers, Microsoft said it is not aware of exploits of these new vulnerabilities.

In this article

Dado Ruvic | Reuters

Microsoft on Tuesday released patches for three versions of its Exchange Server email and calendar software that companies use in on-premises data centers, and the federal government has ordered all agencies to install them, warning that the vulnerabilities being patched "pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action."

The updates come a month after Microsoft took action to respond to attacks on other flaws in Exchange Server, which the company said had been exploited by Chinese hackers. But unlike last time, Microsoft said in a blog post it has not yet observed exploits of the newly discovered holes.

Nonetheless, the widespread usage of Exchange, and the importance of email in general, has spurred the federal government to sound the alarm.

In a Tuesday directive, the U.S. Cybersecurity and Infrastructure Security Agency noted that these vulnerabilities are "different from the ones disclosed and fixed in March 2021" and ordered all government agencies to deploy the patches before Friday.

"Given the powerful privileges that Exchange manages by default and the amount of potentially sensitive information that is stored in Exchange servers operated and hosted by (or on behalf of) federal agencies, Exchange servers are a primary target for adversary activity," CISA wrote. "This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information."

The new patches apply to the 2013, 2016 and 2019 versions of Exchange Server.

The company said organizations using the cloud-based Exchange Online service included in Microsoft 365 subscription bundles is already protected.

Microsoft gave credit to the U.S. National Security Agency for reporting the new vulnerabilities.