Alchemy Blog

Exchange Out-Of-Band Critical Vulnerability Found

This past Tuesday, Microsoft released a critical Out-Of-Band security update pertaining to Exchange On-Premises

Multiple Security Updates Released for Exchange Server – Microsoft Security Response Center

There are active attacks targeting this vulnerability in the wild and as such, Alchemy recommends updating any On-Premises Exchange servers as soon as possible.  Even if your mailboxes are on Exchange Online or Office 365, there is a high probability of having an On-Premises Exchange server still running and in need of patching.

The caveat here is that only the LATEST cumulative updates (CU) are patched.

Security updates are available for the following specific versions of Exchange:

You MUST be running the latest CU in order to fully remediate the vulnerability.

Alchemy has identified that these patches MUST be run with administrative (UAC) credentials, from an admin-elevated command prompt in order to be effective.

If the patch is not run with admin credentials, the patch will silently fail, and cause Exchange NOT to start.

In addition, if the Exchange servers need to get current, it is best to run the AD Prep/PrepareAD process FIRST before applying the CU.  We have had reports of issues where this is not applied correctly.

More information can be found on the Exchange Blog Released: March 2021 Exchange Server Security Updates – Microsoft Tech Community and vulnerability information can be found at the CISA release Microsoft Releases Out-of-Band Security Updates for Exchange Server | CISA

If you need any assistance with either the upgrade, or the patch install, please reach out to Alchemy.

Alchemist: Doug Lind

Practice Principal