This past Tuesday, Microsoft released a critical Out-Of-Band security update pertaining to Exchange On-Premises
Multiple Security Updates Released for Exchange Server – Microsoft Security Response Center
There are active attacks targeting this vulnerability in the wild and as such, Alchemy recommends updating any On-Premises Exchange servers as soon as possible. Even if your mailboxes are on Exchange Online or Office 365, there is a high probability of having an On-Premises Exchange server still running and in need of patching.
The caveat here is that only the LATEST cumulative updates (CU) are patched.
Security updates are available for the following specific versions of Exchange:
- Exchange Server 2010 (update requires SP 3 or any SP 3 RU – this is a Defense in Depth update)
- Exchange Server 2013 (update requires CU 23)
- Exchange Server 2016 (update requires CU 19 or CU 18)
- Exchange Server 2019 (update requires CU 8 or CU 7)
You MUST be running the latest CU in order to fully remediate the vulnerability.
Alchemy has identified that these patches MUST be run with administrative (UAC) credentials, from an admin-elevated command prompt in order to be effective.
If the patch is not run with admin credentials, the patch will silently fail, and cause Exchange NOT to start.
In addition, if the Exchange servers need to get current, it is best to run the AD Prep/PrepareAD process FIRST before applying the CU. We have had reports of issues where this is not applied correctly.
More information can be found on the Exchange Blog Released: March 2021 Exchange Server Security Updates – Microsoft Tech Community and vulnerability information can be found at the CISA release Microsoft Releases Out-of-Band Security Updates for Exchange Server | CISA
If you need any assistance with either the upgrade, or the patch install, please reach out to Alchemy.
