Security updates have been released for Exchange 2016 and Exchange 2019.
The updates fix the following vulnerabilities;
- CVE-2023-36439: Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2023-36050: Microsoft Exchange Server Spoofing Vulnerability
- CVE-2023-36039: Microsoft Exchange Server Spoofing Vulnerability
- CVE-2023-36035: Microsoft Exchange Server Spoofing Vulnerability
None of the vulnerabilities are currently publicly disclosed nor exploited. However, they are all rated as “Exploitation More Likely”, so make sure you update as soon as possible!
The updates also contain the following new feature and non-security issues;
- Certificate signing of PowerShell serialization payload is now enabled by default
This feature was first released in January 2023 and disabled by default. Before installing this update, make sure your Exchange Server Auth Certificate is valid! - Serialization payload signing fails to run RBAC cmdlets
- Mailbox migration fails with communication error permanent exception
- InvalidResponseException when you try to run Export-UMPrompt (Exchange 2016 only)
View: Exchange Blog: Released: November 2023 Exchange Server Security Updates
View: Description of the security update for Microsoft Exchange Server 2019 and 2016: November 14, 2023 (KB5032146)
View: Description of the security update for Microsoft Exchange Server 2016: November 14, 2023 (KB5032147)
Download: Security Update V2 for Exchange 2019 CU12 and CU13
Download: Security Update V2 for Exchange 2016 CU23.
