Following the recent Microsoft announcement regarding potential vulnerability with on-premises Microsoft Exchange servers, and aligned with our firm’s commitment to maintain the privacy and security of your data, General Credit Services is assuring our client partners that our firm, and subsequently your data, is not at risk. We do not utilize on-premises Microsoft Exchange servers and therefore this potential vulnerability does not apply.
To further ensure no potential risks exist, we have issued a questionnaire through our Vendor Management Program to determine if any of our partner vendors utilize On-Premises Microsoft Exchange servers. In the event that we determine any potential vulnerability, we will ensure that any risk is mitigated.
Below is a copy of the media announcement outlining the potential vulnerability for further reference.
‘On-premises Microsoft Exchange servers (Server 2013, Server 2016, and Server 2019) are under widespread and active exploitation by an advanced foreign adversary, per Microsoft, industry, and government reporting as of early March. The threat-actor is commonly gaining access to internet-accessible Exchange servers through use of a previously undisclosed vulnerability (CVE-2021-26855-) and is subsequently creating a webshell via exploitation of CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 to gain remote-control of the compromised server, which can be used to further attacks including data theft from affected organizations. Microsoft issued an out-of-band security patch addressing the four previously unknown vulnerabilities and is urging prioritization of updated installation.’