The October 2021 security updates for Exchange Server address vulnerabilities responsibly reported by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment.
These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.
More details about specific CVEs can be found in Security Update Guide (filter on Exchange Server under Product Family).
Two update paths are available:
Inventory your Exchange Servers / determine which updates are needed
Use the Exchange Server Health Checker script (use the latest release) to inventory your servers. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs and SUs).
My organization is in Hybrid mode with Exchange Online. Do I need to do anything? While Exchange Online customers are already protected, the October 2021 security updates do need to be applied to your on-premises Exchange Servers, even if they are used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.
Do I need to install the updates on ‘Exchange Management Tools only’ workstations? Servers or workstations running only Microsoft Exchange Management Tools (no Exchange services) do not need to apply these updates.
NOTE: This post might receive future updates; they will be listed here (if available).