On March 2, 2020, Microsoft released an out-of-band patch to address four vulnerabilities affecting Exchange Server 2013, 2016, and 2019.
Successful exploitation of these vulnerabilities allows an attacker to execute arbitrary code on vulnerable Exchange Servers and thereby enable persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. The U.S. Department of Homeland Security and the Federal Bureau of Investigation have stated that nation-state actors and cyber criminals are believed to be exploiting these vulnerabilities on networks running unpatched versions of Exchange Server.
Neither Broadcom nor any of its global component businesses utilize Microsoft Exchange Server for corporate email communications. Accordingly, at this time we believe Broadcom has no substantial exposure to the activities of malicious actors who are exploiting these vulnerabilities.
Broadcom’s Symantec Threat Hunter Team continues to monitor activities associated with this threat and report on its discoveries through alerts to our customers and posts on the Symantec Enterprise Blogs.