Microsoft released security updates for multiple on--premises Microsoft Exchange Server zero-day vulnerabilities that are being exploited by a nation-state affiliated group that we are calling Hafnium. The vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.
The versions affected are:
To minimize or avoid impacts of this situation, Microsoft highly recommends that you take immediate action to apply the updates for any on-premises Exchange deployments you have or are managing for a customer or advise your customer of the steps they need to take. The priority being servers which are accessible from the Internet (for example, servers publishing Outlook on the web/OWA and ECP).
Please ensure you keep reading the Microsoft Security Response Center and Exchange Team blogs for the latest information.