Microsoft Exchange CVEs more widely exploited than thought US CISA issues emergency guidance as impact of four newly disclosed Microsoft Exchange vulnerabilities becomes clearer Share this item with your network: By Published: 04 Mar 2021 14:49 The US government’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive warning all government civilian departments and agencies running an on-premise Microsoft Exchange installation to update or disconnect the product as the impact of four newly disclosed vulnerabilities – CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 – spreads. The CISA has also called on US agencies to collect forensic images and search for known indicators of compromise (IOCs) in response to active exploitation of the vulnerabilities, which have prompted an out-of-sequence patch from Microsoft.