This article is contributed. See the original author and article here.

Microsoft has released a set of out of band security updates for vulnerabilities for the following versions of Exchange Server:

  • Exchange Server 2013

  • Exchange Server 2016

  • Exchange Server 2019

Security updates are available for the following specific versions of Exchange:

  • Exchange Server 2010 (RU 31 for Service Pack 3 – this is a Defense in Depth update)

  • Exchange Server 2013 (CU 23)

  • Exchange Server 2016 (CU 19, CU 18)

  • Exchange Server 2019 (CU 8, CU 7)

Because we are aware of active exploits of related vulnerabilities in the wild (limited targeted attacks), our recommendation is to install these updates immediately to protect against these attacks.

The vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.

For more information, please see the Microsoft Security Response Center (MSRC) blog.

For technical details of these exploits and how to help with detection, please see HAFNIUM Targeting Exchange Servers.

Additional details

Does installing the March Security Updates require my servers to be up to date?

Today we shipped Security Update (SU) fixes. These fixes can be installed only on servers that are running the specific versions listed previously, which are considered up to date. If your servers are running older Exchange Server cumulative or rollup update, you will need to install a currently supported RU/CU before you can install the security updates.

How can I get an inventory of the update-level status of my on-premises Exchange servers?

You can use the Exchange Server Health Checker script, which can be downloaded from GitHub (use the latest release). Running this script will tell you if you are behind on your on-premises Exchange Server updates (note that the script does not support Exchange Server 2010).

What is the order of installation for the Security Updates mentioned here?

Exploitation of the security vulnerabilities addressed in these fixes requires HTTPS access over the Internet. Therefore, our recommendation is to install the security updates first on Exchange servers exposed/published to the Internet (e.g., servers publishing Outlook on the web/OWA and ECP) and then update the rest of your environment.

Will the installation of the Security Updates take as long as installing an RU/CU?

Installation of Security Updates does not take as long as installing a CU or RU, but you will need to plan for some downtime.

The last Exchange 2016 and Exchange 2019 CU’s were released in December of 2020. Are new CU’s releasing in March 2021?

We are still on schedule to release Exchange Server 2016 CU 20 and Exchange Server 2019 CU 9 in March 2021 and those CUs will contain the Security Updates mentioned here (along with other fixes). Our strong recommendation is to install security updates immediately.

How can I tell if my servers have already been compromised?

Information on Indicators of Compromise (IOCs) – such as what to search for, and how to find evidence of successful exploitation (if it happened), can be found in HAFNIUM Targeting Exchange Servers.

Are there any other resources that you can recommend?

Microsoft Defender Security Research Team has published a related blog post called Defending Exchange servers under attack which can help you understand some general practices around detection of malicious activity on your Exchange servers and help improve your security posture.

The Exchange Team

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.