In March, Exchange Server headlined the cybersecurity news section when it was discovered that it is under attack from state-sponsored groups. Microsoft was quick to release out-of-band updates for both supported and unsupported versions of Exchange, tools to break the attack chain, as well as advisories for customers. As a result of its efforts, hundreds of thousands of on-premises Exhange Server instances were patched against vulnerabilities. It is important to note that Exchange Online was not affected by this incident.
Now, Microsoft has released yet another set of security updates for Exchange Server to tackle newly discovered Remote Code Execution (RCE) vulnerabilities.
This time around, security updates are only available to Exchange Server 2013 CU23, Exchange Server 2016 CU19 and CU20, and Exchange Server 2019 CU8 and CU9. If you're not on any of the aforementioned cumulative updates (CUs), Microsoft recommends that you first upgrade to a supported environment and then apply the security updates. Once again, Exchange Online customers do not need to do anything.
The Redmond tech giant says that the April 2021 security updates (SUs) patches RCE vulnerabilities that were privately reported to the firm by the National Security Agency (NSA). Although Microsoft's investigation indicates that the exploit is not being utilized by attackers, it still urges customers to apply the SU as quickly as possible.
It is important to note that since SUs are cumulative, customers who apply the April updates will also be protected against vulnerabilities reported in March. However, customers with SUs released in March are unprotected against these new security flaws. Microsoft has cautioned that unlike last time, it does not plan to release out-of-band SUs for unsupported versions of Exchange Server. There are 47 old CUs affected by this flaw and it's not possible for Microsoft to invest effort in releasing updates for all of them. As such, it recommends updating to a current environment in order to apply the updates. Finally, the company has also noted that SUs have not been released for Exchange Server 2010 as it is unaffected by the latest vulnerabilities. You can find out more about the updates by heading over to Microsoft's blog post here.