Microsoft has recently identified zero-day exploits and vulnerabilities in all active Exchange Server on-premise released and has announced (March 2021) that a series of critical patches have been released for all Exchange Server on-premise versions (2013, 2016, 2019) which mitigate the vulnerabilities. Exchange Server Online is not affected. To urgently patch the Exchange Server on-premise vulnerabilities, you should move to the latest Exchange Cumulative Updates and then install the relevant security updates on each Exchange Server.
- You can use the Exchange Server Health Checker script, which can be downloaded from GitHub (use the latest release). Running this script will tell you if you are behind on your on-premises Exchange Server updates (note that the script does not support Exchange Server 2010).
- It is also recommended that your security team assess whether or not the vulnerabilities have been exploited by using guidance from the following article: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/.
Sources of further information for Microsoft partners
- Microsoft On the Issues blog
- Microsoft Security Response Center (MSRC) release – Multiple Security Updates Released for Exchange Server
- Exchange Team Blog
- MSTIC Blog
- MSRC Blog
- Out of Band Exchange Release Customer Alert
- Security Update Guide
Exchange patch information