Blocking ads removes funding from us!
Researching and writing articles takes a lot of time. Operating our infrastructure costs money.
All of this is funded with advertising revenue.
We don't like advertising either - that's why we avoid annoying banners and pop-ups.
Please give us a chance and deactivate your adblocker!
Alternatively, you can support us here voluntarily.
Language:  Deutsch English (Beta)

Follow us:

Microsoft Exchange Server with another critical vulnerability: April 2021 CU update available

Microsoft Exchange Server
Image: Microsoft
(Post picture: © 2021 Microsoft)

We remember the huge security hole in Microsoft Exchange Server at the beginning of March. Now there is another security update for a securityproproblem with the popular Microsoft mail server. A vulnerability discovered a few days ago is hereby fixed. The BSI is already warning.

On Pwn2Own 2021 Participants from all over the world have tried to track down security gaps in known systems and adopt them. The Exchange Server was also up - again (we remember: beginning of March) - in focus and was also successfully adopted during the event. The vulnerabilities were then sent to Microsoft; no attacks are currently known. Likewise, the gaps are not yet public. As we know, however, such a loophole can be exploited fairly quickly. Microsoft published the new security patches less than an hour ago today and fixes four holes. The newly reported gaps in Pwn2Own have not yet been fixed - patches for this will probably arrive in May. These will then be viewed critically again:

Microsoft Exchange Server: Download the April 2021 security patch

The BSI too warns before the security gaps and strongly recommends that you install the updates. in the Document from the BSI there is further information on this. This is where admins should really pay attention when you think of the incident at the beginning of March, when several 100.000 Exchange servers from all over the world were taken over. It says about the current gap:

The DEVCORE team combined an authentication bypass and a local privilege escalation to complete take over the Exchange server.

Team Viettel successfully demonstrated their code execution on the Exchange server, but some of the bugs they used in their exploit chain had been previously reported in the contest. This counts as a partial win but does get them 7.5 Master of Pwn points.

For Exchange Server 2013 (CU23) 2016 (CU19, CU20) and 2019 (CU8, CU9) updates are available. We have linked the respective links to the updates directly to the relevant CU. Microsoft points out as wellto start these updates via a command prompt with admin rights. The CMD is started with a right click -> "Run as administrator" and then the path of the update file is selected directly.

If there is no update available for the version used, it must first be updated to a supported CU. The security update can then be imported. All other servers are unprotected.

Alternatively, the update is also available via Windows Update, which, as usual, is not always completely reliable. But if you want to be on the safe side, install the patch directly. Don't forget to make a backup beforehand. And this time it's best to really work a night shift this evening before there are nasty surprises like the beginning of March.

Recommendations for you

>> Support us by purchasing from Amazon <

David Wurm

Do that TechnikNews-Ding together with a great team for several years. Works in the background on the server infrastructure and is also responsible for everything editorial. Is fascinated by current technology and likes to blog about everything digital. In his free time, he can often be found developing websites, taking photos or making radio.

David has already written 870 articles and left 349 comments.

Web | Facebook | Twitter | Insta | YouTube
Mail: david.wurm | at | | please NOT for general inquiries, cooperations! This way: Contact
Your name, which will be shown publicly.
We will not publish your email address.
oldest Best
Inline feedback
View all comments

Hello David,
maybe it should be mentioned again that the PWN2OWN gaps were not closed with the last patches by the Exchange.
MfG the Seb