Security News > 2021 > April > MS Patch Tuesday: NSA Reports New Critical Exchange Flaws

Just weeks after a wave of major in-the-wild zero-day attacks against Exchange Server installations globally, Microsoft is raising a fresh alarm for four new critical security flaws that expose businesses to remote code execution attacks.
The four new Exchange Server vulnerabilities were fixed as part of this month's Patch Tuesday bundle and because of the severity of these issues, Microsoft has joined with the U.S. National Security Agency to urge the immediate deployment of the new fixes.
The NSA is credited with reporting two of the four Exchange Vulnerabilities - CVE-2021-28480 and CVE-2021-28481 - and the agency is warning.
These bugs may be wormable between Exchange servers.
"Considering the source, and considering these bugs also receive Microsoft's highest Exploit Index rating, assume they will eventually be exploited. Update your systems as soon as possible," ZDI added.
Of the 114 documented bugs, 19 are rated "Critical," Microsoft's highest severity rating.
News URL
Related news
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)
- March 2025 Patch Tuesday forecast: A return to normalcy (source)
- Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws (source)
- Patch Tuesday: Microsoft Fixes 57 Security Flaws – Including Active Zero-Days (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825) (source)
- Still Using an Older Version of iOS or iPadOS? Update Now to Patch These Critical Security Vulnerabilities (source)
- April 2025 Patch Tuesday forecast: More AI security introduced by Microsoft (source)
- Week in review: Probing activity on Palo Alto Networks GlobalProtect portals, Patch Tuesday forecast (source)
- Microsoft April 2025 Patch Tuesday fixes exploited zero-day, 134 flaws (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-04-13 | CVE-2021-28480 | Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 0.0 |
2021-04-13 | CVE-2021-28481 | Unspecified vulnerability in Microsoft Exchange Server 2013/2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 0.0 |