Mumbai: Hundreds of organisations using Microsoft Exchange Server, a Microsoft product that provides email hosting service for companies around the world, are currently vulnerable to cyber-attack from two recently detected high severity vulnerabilities

Both the Indian Computer Emergency Response Team (CERT-In), India’s apex agency for cybersecurity, and Microsoft have stated that these vulnerabilities have already been exploited by hackers, and no patch has been released for them as yet.

Exchange Server allows organisations to set up official email domains in the name of the organisation and assign individual official email accounts to the employees. The biggest risk associated with such a service is that unauthorised entry into a single account could potentially compromise the entire company through further attacks. Microsoft Exchange Server is used by hundreds of companies the world over.

CERT-In’s advisory, which was issued on Saturday, states that the two vulnerabilities could allow a hacker to gain access to a device and execute remote code on it. Remote code is any code or program run by a hacker on a hacker device without the knowledge or consent of the device owner.

However, this can only be done by someone who already has login credentials to log on to Microsoft Exchange Server, also known as an authenticated attacker in Information Technology (IT) terms.

“An authenticated attacker could exploit these vulnerabilities by sending a specially-crafted request to the affected system. Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution on the targeted system,” CERT-In’s advisory states, adding, “Note: These vulnerabilities are being exploited in the wild.” The term ‘exploited in the wild’ refers to the fact that an exploit for the said vulnerability exists and is being used.

In an official update on its website, Microsoft confirmed both the vulnerabilities and stated that the first one can be used to trigger the other. The tech giant also confirmed that an attacker would need authenticated access to an Exchange server before being able to exploit the two vulnerabilities.

According to Microsoft, the first vulnerability allows authenticated attackers to contact the server by posing as an affected machine, while the second one gives them access to other vulnerable systems connected to the server and move laterally through them. Further, this can be done by any email user, and not necessarily someone with administrator access.

“Microsoft Security Threat Intelligence Center (MSTIC) observed activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining (the two vulnerabilities) in a small number of targeted attacks. Microsoft observed these attacks in fewer than 10 organisations globally. MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organisation,” Microsoft’s official statement on the matter said.

The two vulnerabilities fall under the category of ‘zero-day’, where a vulnerability is only discovered after it is exploited by attackers. It is named as there are zero days between its discovery and exploitation. These two zero-days were discovered by GSTC, a Vietnamese cybersecurity firm, in August 2022. The firm submitted their report to Microsoft and published a blog last month as the two zero-days were under active exploitation, and users needed to be warned.

In the absence of a patch for the two vulnerabilities so far, Microsoft has put out a detailed set of mitigations, which IT administrators are advised to follow to secure their respective companies from external attacks.