Microsoft Exchange Server critical patches

Microsoft announcement

Microsoft has recently identified zero-day exploits and vulnerabilities in all active Exchange Server on-premise released and has announced (March 2021) that a series of critical patches have been released for all Exchange Server on-premise versions (2013, 2016, 2019) which mitigate the vulnerabilities. Exchange Server Online is not affected. To urgently patch the Exchange Server on-premise vulnerabilities, you should move to the latest Exchange Cumulative Updates and then install the relevant security updates on each Exchange Server. This short article provides an overview of the Microsoft Exchange Server critical patches.

  • You can use the Exchange Server Health Checker script, which can be downloaded from GitHub (use the latest release). Running this script will tell you if you are behind on your on-premises Exchange Server updates (note that the script does not support Exchange Server 2010).
  • It is also recommended that your security team assess whether or not the vulnerabilities have been exploited by using guidance from the following article: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/.

Sources

Sources of further information for Microsoft partners

Exchange patch information

Bear in mind that Exchange Server 2019 was the last version which was released for on-premises workloads. Afterwards, Exchange Online took the lead and also introduced options for Hybrid Exchange deployments, i.e. combining on-premises with cloud deployments of the Exchange Server software.