Microsoft is continuing its efforts to make their on-premise Exchange products more secure. With this month’s update, we see two CVE’s being fixed:
- A spoofing vulnerability in Exchange 2016 and 2019 possibly exposing files on the Exchange Server to an authenticated attacker.
- A remote code execution vulnerability in Exchange 2013, 2016 and 2019. An authenticated attacker could possibly execute malicious code as the Exchange Server’s computer account.
At the time of writing this article, Microsoft is not being aware of these exploits being actively used in the wild. However, as usual, it is highly recommended to update your systems as soon as you can.
How to get the update
You can either get the update directly through Windows Update, or from the corresponding Microsoft Tech Community article.
Alternatively, you can directly access the update for your corresponding Exchange CU level here:
Keep in mind that if you decide to get the update directly from Microsoft, that you MUST run the downloaded .msu file from an elevated command prompt! Failing to do so will most likely damage your Exchange installation.