Here’s how to keep your business safe

UPDATE: On 13 April 2021 Microsoft released security updates to mitigate significant newly discovered vulnerabilities in Microsoft Exchange 2013, 2016 and 2019.

The new vulnerabilities are: 

The patches previously released by Microsoft in March 2021 do not remediate these new vulnerabilities and organisations must apply Microsoft’s 13 April 2021 updates to prevent potential compromise.

The vulnerabilities previously identified were: 

  • CVE-2021-26855 - server-side request forgery (SSRF) vulnerability in Exchange.
  • CVE-2021-26857 - insecure deserialization vulnerability in the Unified Messaging service.
  • CVE-2021-26858 - post-authentication arbitrary file write vulnerability in Exchange.
  • CVE-2021-27065 - post-authentication arbitrary file write vulnerability in Exchange.


What do I need to do?

Microsoft has released security updates for vulnerabilities found in:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

Additional details relating to the April 2021 patches are available here, whilst information regarding the March 2021 patches are available here

Organisations should apply new patches as soon as possible and also undertake detection steps outlined in Microsoft guidance.

These vulnerabilities affect Microsoft Exchange Server. Exchange Online customers are already protected and do not need to take any action.

For additional information, please see the Australian Cyber Security Centre guidance.

What could happen if my business doesn’t apply the patches?

If the patches aren’t applied, these vulnerabilities could be used by cyber attackers to compromise your business’ information and operations.

A range of cyber attackers – including some in the business of ransomware – were quick to take advantage of businesses that had failed to apply the March updates, which is why it’s critical to apply patches as soon as possible.

To find out more, visit

Things you should know

As the advice on this website has been prepared without considering your objectives, financial situation or needs, you should, before acting on the advice, consider its appropriateness to your circumstances.