Attackers looking to exploit unpatched Exchange servers are not going to go away. There are too many aspects of unpatched on-premises Exchange environments that are valuable to bad actors looking to exfiltrate data or commit other malicious acts. First, user mailboxes often contain critical and sensitive data. Second, every Exchange server contains a copy of the company address book, which provides a lot of information that is useful for social engineering attacks, including organizational structure, titles, contact info, and more. And third, Exchange has deep hooks into and permissions within Active Directory, and in a hybrid environment, access to the connected cloud environment.
To defend your Exchange servers against attacks that exploit known vulnerabilities, you must install the latest supported CU (as of this writing, CU12 for Exchange Server 2019, CU23 for Exchange Server 2016, and CU23 for Exchange Server 2013) and the latest SU (as of this writing, the January 2023 SU). Exchange Server CUs and SUs are cumulative, so you only need to install the latest available one. You install the latest CU, then see if any SUs were released after the CU was released. If so, install the most recent (latest) SU.
After installing an update, there may be manual tasks that an admin needs to perform, so always run Health Checker after installing an update to check for such tasks. Health Checker provides you with links to articles that provide step-by-step guidance.
Prior to releasing an SU, we may release a mitigation for a known vulnerability that can be applied to servers automatically by the Exchange Emergency Mitigation Service or manually using the Exchange On-Premises Mitigation Tool. As previously stated, mitigations are designed to provide temporary protection until an SU is available and can be installed. In some cases, mitigations can become insufficient to protect against all variations of an attack. Thus, installation of an applicable SU is the only way to protect your servers.
Updating your Exchange servers is straightforward:
Be sure to always read our blog post announcements, noting known issues and recommended or required manual actions. For CUs, always follow our guidance and best practices, and for SUs, use the Security Update Guide to find relevant information.
Use the Exchange Server Health Checker to inventory your servers and see which Exchange servers need updates (CUs or SUs), and if any manual action needs to be taken.
Once you know what updates are needed, use the Exchange updates step-by-step guide (aka the Exchange Update Wizard) to choose your currently running CU and your target CU and get directions for updating your environment.
If you encounter errors during update installation, the SetupAssist script can help troubleshoot them. And if something does not work properly after updates, have a look at the Update Troubleshooting Guide, which covers the most common issues and how to resolve them.
Be sure to install any necessary updates for Windows Server and other software that might be running on your Exchange server(s).
Be sure to install any necessary updates on dependency servers, including Active Directory, DNS, and other servers used by Exchange.
We know that keeping your Exchange environment protected is critical, and we know it’s never ending. We’re here to support our customers any way we can. We are constantly looking for ways to improve the Exchange Server update process, and we’ve posted a survey about that topic which we invite you to take at https://forms.office.com/r/kfLyqAe3Q8. In the meantime, please update your Exchange servers!