Note: this post is getting frequent updates; please keep checking back. Last update: 3/19/2021
Microsoft has released a set of out of band security updates for vulnerabilities for the following ver...
Updated Mar 19, 2021
Version 44.0
Blog Post
Nino_Bilic
Microsoft
MicrosoftChrisJButler If you look through all of the CVEs (reference here) - the only CVE that applies to Exchange 2010 is CVE-2021-26857. It is a "Remote Code Execution" but it is not a 'start' of the attach chain that Exchange 2013, 2016, 2019 are vulnerable to (as they all basically begin with CVE-2021-26855).
As MSTIC blog post says here, the exploitation of CVE-2021-26857 requires "administrator permission or another vulnerability to exploit". But again, as CVE-2021-26855 does not apply to Exchange 2010, that can not be the "other known vulnerability" on Exchange 2010.
It is, however, still an issue that was discovered as a part of the big picture here, but because it is not exploited in the wild as other versions (because CVE-2021-26855 does not apply) - it is a 'Defense in depth' update. We deemed it important enough to ship a fix for such old code, but it is not actively exploited because there is not an 'entry point' as with other versions.
Hope that helps?