by A critical security vulnerability with a CVSS 3.1 Score of 9.0 has been published in Microsoft Exchange Server that will cause remote code execution. The said security vulnerability allows to run code with Exchange Server application pool and Exchange Server server group accounts. This vulnerability applies to the versions listed below. Although no exploit has been detected regarding the published vulnerability, it is recommended to download the published patches via the relevant links in order not to damage the systems due to the criticality of the vulnerability.
Affected Systems
It has been stated that the following systems are affected;
- Microsoft Exchange Server 2019 Cumulative Update 10
- Microsoft Exchange Server 2016 Cumulative Update 21
- Microsoft Exchange Server 2013 Cumulative Update 23
- Microsoft Exchange Server 2019 Cumulative Update 11
- Microsoft Exchange Server 2016 Cumulative Update 22
Solution and CVE/CWE
It is recommended to install the updates specified in the table below.
CVE/CWE: CVE-2021-26427
| Product | Article | Security Patch |
|---|---|---|
| Microsoft Exchange Server 2019 Cumulative Update 10 | 5007012 | Security Update |
| Microsoft Exchange Server 2016 Cumulative Update 21 | 5007012 | Security Update |
| Microsoft Exchange Server 2013 Cumulative Update 23 | 5007011 | Security Update |
| Microsoft Exchange Server 2019 Cumulative Update 11 | 5007012 | Security Update |
| Microsoft Exchange Server 2016 Cumulative Update 22 | 5007012 | Security Update |
Note: A CVSS score of 3.1 (out of 10) of 7.0-8.9 is considered “high”, and 9.0-10.0 is considered a “critical” vulnerability.
Reference:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26427
https://nvd.nist.gov/vuln/detail/CVE-2021-26427
