The vulnerabilities described on this and the following pages are known as the Proxylogon vulnerabilities, which affect various versions of the on-premises Microsoft Exchange email server. If you have a Microsoft Exchange email server on-site (rather than in the ‘cloud’ through Microsoft 365) you may be at risk of these vulnerabilities. In particular :
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
You are encouraged to read the following information if the Operation Configured team have informed you that your organisation may have these vulnerabilities and as a result be at greater risk of criminal cyber-attacks. The following pages will give you an indication of the risk these pose, possible consequences of ignoring this risk and point you towards confirming and solving the problem leading to this risk. The guidance that follows is split into non-technical and technical content, which you can choose based on your level of knowledge and understanding.
IMPORTANT: While SEROCU are notifying organisations of this vulnerability, Officers from the team will NOT be asking for any information or other details. They will only be providing information. Any unsolicited contact claiming to be from the Police should always be treated with caution. For more information read about Verifying Authenticity.
These vulnerabilities have been assigned unique verifiable reference numbers (CVE’s) which allow you to easily find more information about them from other sources. You can find out more and verify these reference numbers using a simple web search. The Common Vulnerabilities and Exposures (CVE) reference numbers for these vulnerabilities are:
The majority of vulnerabilities are scored using a common scoring framework, known as the Common Vulnerability Scoring System (CVSS) which base the scoring on various metrics, including the impact. This allows organisations to easily compare risks posed by different vulnerabilities. The CVSS scores for these vulnerabilities are:
- CVE-2021-26855 : Critical – 9.8 out of 10
- CVE-2021-26857 : High – 7.8 out of 10
- CVE-2021-26858 : High – 7.8 out of 10
- CVE-2021-27065 : High – 7.8 out of 10
This translates to a potentially critical degree of risk.
These vulnerabilities have been actively exploited by cyber criminals, causing significant damage and financial losses to organisations around the world of all sizes. If you have these vulnerabilities, fixing them as soon as possible is essential to protecting your organisation. The cost of fixing this is almost certainly less than the costs and losses incurred by a criminal cyber attack.
There are two routes of further advice provided on our website which you can follow depending on your degree of technical ability and/or role.