Out-of-Band security updates have been released for Exchange 2019, Exchange 2016, Exchange 2013 and even Exchange 2010 (which has been out of support since October 13, 2020).
The reason for this is because multiple zero-day vulnerabilities exist which are currently being exploited by a nation-state affiliated group.
It is recommended that you start patching immediately beginning with server that are accessible from the Internet (like server publishing Outlook on the Web/OWA and ECP).
The update fixes the following Remote Code Execution Vulnerabilities;
- Exchange 2013 / 2016 / 2019
- CVE-2021-26412
- CVE-2021-26854
- CVE-2021-26855 (zero-day)
- CVE-2021-26858 (zero-day)
- CVE-2021-27065 (zero-day)
- CVE-2021-27078
- Exchange 2010 / 2013 / 2016 / 2019
- CVE-2021-26857 (zero-day)
View: Exchange Blog: Released: March 2021 Exchange Server Security Updates
View: On the Issue Blog: New nation-state cyberattacks
View: Microsoft Security Blog: HAFNIUM targeting Exchange Servers with 0-day exploits
View: Microsoft Security Response Center (MSRC) Blog: Multiple Security Updates Released for Exchange Server
Exchange 2019 CU8 – Download – KB5000871
Exchange 2019 CU7 – Download – KB5000871
Exchange 2016 CU19 – Download – KB5000871
Exchange 2016 CU18 – Download – KB5000871
Exchange 2013 CU23 – Download – KB5000871
Exchange 2010 SP3 RU32 – Download – KB5000978
These security updates are also included in Exchange 2019 CU9 and Exchange 2016 CU20.
If you are running an older CU version of Exchange and can’t directly upgrade to the latest CU see; March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server.
