The Cybersecurity and Infrastructure Security Agency (CISA) on March 3 issued an emergency directive to Federal civilian agencies to patch a critical vulnerability in Microsoft Exchange on-premises products.  The agency said that cloud services such as Microsoft 365 and Azure systems “are not known to be affected by this vulnerability.”

The directive tells agencies “running Microsoft Exchange on-premises products to update or disconnect the products from their networks until updated with the Microsoft patch released” on March 2. It also instructs agencies to collect forensic images if they are able to do so, and to “search for known indicators of compromise after patching, and if indicators are found, contact CISA to begin incident response activities.”

“The directive is in response to observed active exploitation of these products using previously unknown vulnerabilities,” CISA said.

“This emergency directive will help us secure Federal networks against the immediate threat while CISA works with its interagency partners to better understand the malicious actor’s techniques and motivations to share with our stakeholders,” said Brandon Wales, acting CISA director, in a statement.

“The swiftness with which CISA issued this emergency directive reflects the seriousness of this vulnerability and the importance of all organizations – in government and the private sector – to take steps to remediate it,” Wales said.

The agency said that its directive reflects the finding “that exploitations that pose an unacceptable risk to the Federal civilian executive branch agencies require emergency action.” The agency made the assessment “on the basis of 1) current exploitation of these vulnerabilities, 2) the likelihood of widespread exploitation of the vulnerabilities after public disclosure and the risk that Federal government services to the American public could be degraded.”

“CISA and the National Security Agency worked with Microsoft and security researchers to identify detection and mitigation approaches to these vulnerabilities, for which Microsoft released the patch this afternoon,” the agency said.

Read More About
More Topics
John Curran
John Curran
John Curran is MeriTalk's Managing Editor covering the intersection of government and technology.