GovInfoSecurity
Compliance
DougOlenick) • May 12, 2021 Get Permission
Microsoft issued patches Tuesday for four more vulnerabilities in on-premises versions of the Exchange Server corporate email platform, one of which is a zero-day flaw.
These latest patches come after Microsoft in March patched four critical flaws in Exchange Server that had been widely exploited by attackers.
Microsoft said a China-based group it calls Hafnium had exploited those flaws to gain persistent access to email systems, but researchers said several criminal groups had exploited the flaws.
Commenting on the latest Exchange patches, Satnam Narang, staff research engineer at the security firm Tenable, says: While none of these flaws are deemed critical in nature, it is a reminder that researchers and attackers are still looking closely at Exchange Server for additional vulnerabilities, so organizations that have ye
In-The-Wild & Disclosed CVEs
Up first in the list this month, we have a vulnerability that impacts .NET and Visual Studio and could allow a successful attacker to elevate their permissions. We see patches for Microsoft Visual Studio 2019 for Windows and macOS as well as .NET 5.0 and .NET Core 3.1. Microsoft indicates that while this has been publicly disclosed, it has not been exploited in the wild. There are additional details regarding this vulnerability available on the dotnet github page.
Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.
Once again, we have a Microsoft Exchange Server vulnerability in the patch round-up. This time, it is a security feature bypass and is one of the Exchange vulnerabilities that was found during PWN2OWN 2021.