On March 2nd 2021, Microsoft warned of several zero-day vulnerabilities in its Exchange Server application, including a critical remote code execution (RCE) vulnerability: CVE-2021-26855. This CVE was listed with a Base Score of 9.8 or critical by NIST. Exploitation complexity of this vulnerability is categorized as low as it requires no authorization, and or local access to implement.
In response to this critical vulnerability, we have added new Microsoft Exchange Server policies to our ECRS ruleset, with rules to protect against CVE-2021-26855. Our WAF customers can opt-in to the new rules by either updating their profiles to the latest version or pinning their profiles to always use the latest version of our rulesets. We recommend our customers first test the new rules in Audit mode to monitor for the potential impact on their production traffic prior to applying the rules in Block mode.
If you have questions about these developments or would like to learn more about our comprehensive suite of delivery and security solutions, contact us today.