Critical Exchange Server Vulnerabilities let Attackers Execute Remote Code

Microsoft has released security updates for vulnerabilities found in the below versions of Exchange servers on the 13^th April 2021 which is depicted as CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483

• Exchange Server 2013
• Exchange Server 2016
• Exchange Server 2019

Updates Available for Specific Builds:

These updates are available for the following specific builds of Exchange Server:

• Exchange Server 2013 CU23
• Exchange Server 2016 CU19 and CU20
• Exchange Server 2019 CU8 and CU9

What is the need for this update release?

There were vulnerabilities which were addressed in the April 2021 security updates, as a result, Microsoft has advised to install these updates immediately.

These vulnerabilities affect Microsoft Exchange Server. Exchange Online customers are already protected and do not need to take any action.

There are two update paths as follows:

Health Checker:

Anyone can use this Health Checker that can be downloaded from GitHub (use the latest release), to inventory the servers. Running this script will give a result if any of the Exchange Servers are behind on updates (CUs and SUs).

Update to the latest Cumulative Update

Microsoft has advised to go to https://aka.ms/ExchangeUpdateWizard and choose the currently running CU and target CU. Then click the “Tell me the steps” button, to get directions for the environment.

My organization is in Hybrid mode with Exchange Online. Do I need to do anything?
While Exchange Online customers are already protected, the April 2021 security updates do need to be applied to your on-premises Exchange Server, even if it is used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.

Do the April 2021 security updates contain the March 2021 security updates for Exchange Server?
Yes, security updates are cumulative. Customers who installed the March 2021 security updates for supported CUs can install the April 2021 security updates and be protected against the vulnerabilities that were disclosed during both months. If you are installing an update manually, do not double-click on the .msp file, but instead run the install from an elevated CMD prompt.

Do I need to install the updates on ‘Exchange Management Tools only’ workstations?
Servers or workstations running only Microsoft Exchange Management Tools (no Exchange services) do not need to apply these updates.

Is there no update for Exchange Server 2010?
No, Exchange 2010 is not affected by the vulnerabilities fixed in the April 2021 security updates.