Remediating Microsoft Exchange Vulnerabilities
On March 2, 2021, Microsoft released out-of-band security updates to address vulnerabilities affecting Microsoft Exchange Server products. On March 3, after CISA and partners observed active exploitation of vulnerabilities, CISA issued Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities and Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities.
An adversary can exploit this vulnerability to compromise your network and steal information, encrypt data for ransom, or even execute a destructive attack. Leaders at all organizations must immediately address this incident by asking their IT personnel:
- What steps your organization has taken;
- Whether your organization has the technical capability to follow the guidance provided below; and
- If your organization does not have the capability to follow the guidance below, whether third-party IT security support has been requested.
Leaders should request frequent updates from in-house or third-party IT personnel on progress in implementing the guidance below until completed.
For IT Security Staff:
As exploitation of these vulnerabilities is widespread and indiscriminate, CISA strongly advises all system owners complete the following steps:
- If you have the capability, follow the guidance in CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities to create a forensic image of your system.
- Check for indicators of compromise (IOCs) by running the Microsoft IOC Detection Tool for Exchange Server Vulnerabilities.
- Immediately update all instances of on-premises Microsoft Exchange that you are hosting.
- If you are unable to immediately apply updates, follow Microsoft’s alternative mitigations in the interim. Note: these mitigations are not an adequate long-term replacement for applying updates; organizations should apply updates as soon as possible.
- If you have been compromised, follow the guidance in CISA Alert AA21-062A. For additional incident response guidance, see CISA Alert AA20-245A: Technical Approaches to Uncovering and Remediating Malicious Activity. Note: Responding to IOCs is essential to evict an adversary from your network and therefore needs to occur in