Microsoft has released new security updates for Exchange Server 2016 - 2019. This is a fix for the following vulnerability:
- CVE-2021-24085Microsoft Exchange Server Spoofing Vulnerability
However, the vulnerability is listed as "Low" severity and an attacker must have Exchange Server credentials to exploit the vulnerability:
An authenticated attacker can leak a cert file which results in a CSRF token to be generated.
Source: https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-24085
There is currently no exploit for the vulnerability. The new CU for Exchange Server should be released in March and will contain this fix. So if you are afraid of extensive tests, you can possibly wait for the next CU and then test the complete CU.
Click here to download the update:
- Microsoft Exchange Server 2019 Cumulative Update 8
- Microsoft Exchange Server 2019 Cumulative Update 7
- Microsoft Exchange Server 2016 Cumulative Update 19
- Microsoft Exchange Server 2016 Cumulative Update 18
You should also read through the known problems with the fix before installing it:
