It’s a light November 2021 Patch Tuesday from Microsoft: 55 fixed CVEs, of which two are zero-days under active exploitation: CVE-2021-42321, a Microsoft Exchange RCE, and CVE-2021-42292, a Microsoft Excel security feature bypass bug.
CVE-2021-42321, the remote code execution vulnerability in Microsoft Exchange Server 2016 and 2019, is due to issues with the validation of command-let arguments.
In a blog post published by the Exchange Team, the company recommended that the provided updates for Microsoft Exchange be installed immediately.
The in-the-wild exploitation of CVE-2021-42292, the Microsoft Excel security feature bypass zero-day, was apparently discovered by Microsoft’s Security Threat Intelligence Center.
CVE-2021-42298, a Microsoft Defender RCE hole that will be plugged automatically on internet-connected systems when they receive the malware definition updates and the update for the Microsoft Malware Protection Engine.
CVE-2021-26443 a RCE affecting Microsoft Virtual Machine Bus that may allow a guest-to-host escape.