On March 2nd, Microsoft published a security patch for 4 vulnerabilities on Microsoft Exchange Server. Security researchers detected that those vulnerabilities are actively exploited for targeted attacks.
The vulnerable version are:
- Microsoft Exchange Server 2010
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
All OVHcloud Exchange managed services have been patched in emergency by Wednesday end of day. Exchange Web Service and Exchange Control Panel were temporarily deactivated between the vulnerability disclosure and the end of patching operations, as Veloxcity researchers described in their blog that the RCE was triggered using Exchange Web Service.
OVHcloud recommend to all customers operating Exchange servers on their own to patch those systems urgently.