Security updates have been released for Exchange 2016 and Exchange 2019. There is no security update for Exchange 2013 as support ended on April 11, 2023.
The updates fix the following vulnerabilities;
- CVE-2023-21709: Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2023-35368: Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2023-35388: Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2023-36744: Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2023-36745: Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2023-36756: Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2023-36757: Microsoft Exchange Spoofing Vulnerability
- CVE-2023-36777: Microsoft Exchange Server Information Disclosure Vulnerability
- CVE-2023-38181: Microsoft Exchange Server Spoofing Vulnerability
- CVE-2023-38182: Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2023-38185: Microsoft Exchange Server Remote Code Execution Vulnerability
None of the vulnerabilities are currently publicly disclosed nor exploited. However, 2 of them are rated as “Exploitation More Likely” so make sure you update as soon as possible!
Additionally, to properly address vulnerability CVE-2023-21709, you must run a script or an additional PowerShell command as discussed in the referenced article.
The updates also contain the following new feature and non-security issues;
- Enable support for AES256-CBC-encrypted content in Exchange Server August 2023 SU
- DST settings are inaccurate after an OS update
- Microsoft Exchange replication service repeatedly stops responding
- Chinese coded characters aren’t supported in Exchange Admin Center
- External email address field doesn’t display the correct username
View: Exchange Blog: Released: August 2023 Exchange Server Security Updates
View: Exchange Blog: September 2023 release of new Exchange Server CVEs (resolved by August 2023 Security Updates)
View: Description of version 2 of the security update for Microsoft Exchange Server 2019 and 2016: August 15, 2023 (KB5030524)
Download: Security Update V2 for Exchange 2019 CU12 and CU13
Download: Security Update V2 for Exchange 2016 CU23.