Cybersecurity & Risk Management

Patch Tuesday April 2021 Edition…Here We Go Again: More Exchange RCEs

By Randy Becker April 13, 2021

By Randy Becker, VP & Principal Security Architect

Microsoft April 2021 Patch Tuesday brings us 4 critical on-premises Exchange RCE CVEs, 2 with a base CVSS Score of 9.8 out of 10 with no privileges required, 1 with a CVSS Score of 9 with an attack vector adjacent with low privileges required, and 1 with an 8.8 and low privileges required.

These significant vulnerabilities should be patched ASAP

These impact on-premises Exchange Server versions 2013, 2016, and 2019. Note that the Exchange updates released in March of 2021 do not remediate against these new vulnerabilities announced today. These are significant vulnerabilities that should be patched as soon as possible following your normal change and testing processes. Is it time to enhance your vulnerability management program to deal with vulnerabilities like these and out of band zero-day vulnerabilities? The answer of course is Yes.

Patching instructions and further reading on the threat

The latest patches can be viewed on the Microsoft Security Response Center (MSRC) website. KB5001779 takes you to the 4 new Exchange RCE vulnerabilities: CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483. As usual, you must follow the instructions on this page or you may run into problems with the updates just like in last month’s updates.

How long before a POC exploit is made public?

It does not look like there is evidence of exploitation in the wild yet but exploitation is likely. Given the exploits we saw associated with the previous Exchange on-premises vulnerabilities, organizations are strongly recommended to prioritize installing the latest updates. It also looks like there are a few critical severity RCE vulnerabilities impacting all supported versions of Windows. The same process goes with these per usual patching.

Important steps we should all be taking

Follow proper change control process
Test your patches before rolling into production
Ensure you have immutable backups of all systems—that way if the worst happens you have a method of recovering.
If you have an on-premises Microsoft Exchange Server, regardless of whether it’s exposed to the Internet or not, patch it!
Ask yourself if now is the time to consider a move to Microsoft Online Exchange?

If you have an on-premises Microsoft Exchange Server and need help patching or would like to implement immutable backups or create an Incident Response Plan, reach out to your Blue Mantis Account Manager or reach out to us!

Randy Becker

VP and Principal Security Architect

At Blue Mantis, Randy leads the offensive security practice, leveraging red team tactics, adversarial threat simulations, and penetration testing to discover critical vulnerabilities and demonstrate real-world exploitation—before threat actors can. Randy specializes in Active Directory exploitation and brings deep expertise across offensive security, risk management, cloud security, and hybrid infrastructure. He holds certifications including OSEP, OSCP, CISSP, and CCNP. Working closely with clients, he designs and implements security solutions that shrink attack surfaces and strengthen defenses in an increasingly dangerous cyber landscape. He also develops comprehensive security strategies to help clients detect, contain, and remediate threats while maintaining industry and federal compliance requirements.

State	Types of Residents To Whom The Law Applies	Exceptions For Employment-Related Information
Colorado	An individual who is a Colorado resident acting only in an individual or household context and does not include an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.	Data maintained for employment records purposes.
Connecticut	An individual who is a resident of Connecticut and does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with us occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit or government agency.	Data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor, to the extent that the data is collected and used within the context of that role.
Montana	An individual who is a resident of Montana and does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit, or government agency.	Data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor, to the extent that the data is collected and used within the context of that role.
Oregon	A natural person who resides in Oregon and acts in any capacity other than in a commercial or employment context.	Information processed or maintained solely in connection with, and for the purpose of, enabling an individual’s employment or application for employment; an individual’s ownership of, or function as a director or officer of, a business entity; or an individual’s contractual relationship with a business entity.
Texas	An individual who is a resident of Texas acting only in an individual or household context and does not include an individual acting in a commercial or employment context.	Data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor, to the extent that the data is collected and used within the context of that role.
Utah	An individual who is a resident of Utah acting in an individual or household context and does not include an individual acting in an employment or commercial context.	Data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor, to the extent the collection and use of the data are related to the individual’s role.
Virginia	A natural person who is a resident of Virginia acting only in an individual or household context and does not include a natural person acting in a commercial or employment context.	Data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor, to the extent that the data is collected and used within the context of that role.

By Need

By Industry

By Function

Learn

FEatured Resource

When the Cloud Goes Dark: Disaster Recovery Lessons from the AWS Outage

Company

FEatured News

Blue Mantis Introduces Comprehensive Real-Time Analytics Solution Delivering Advanced Visibility and Security for Enterprise Networks

Patch Tuesday April 2021 Edition…Here We Go Again: More Exchange RCEs

Randy Becker

Quicklinks

About

Communication Signup

Scope of State Law

By Need

By Industry

By Function

Learn

FEatured Resource

When the Cloud Goes Dark: Disaster Recovery Lessons from the AWS Outage

Company

FEatured News

Blue Mantis Introduces Comprehensive Real-Time Analytics Solution Delivering Advanced Visibility and Security for Enterprise Networks

Patch Tuesday April 2021 Edition…Here We Go Again: More Exchange RCEs

Randy Becker

Recent Blog Posts

The Time to Get SASE is Now

Microsoft Ignite 2025: Top AI Innovations and Enterprise Impact

When the Cloud Goes Dark: Disaster Recovery Lessons from the AWS Outage