Microsoft has released a new security update for Exchange Server 2013 to 2019 (CVE-2019-1373). The update closes a security vulnerability which, in the worst case, could allow code to be executed remotely. Microsoft classifies the severity of the vulnerability as critical. The update should therefore be installed as soon as possible. Microsoft provides the following details about the vulnerability:
A remote code execution vulnerability exists in Microsoft Exchange through the deserialization of metadata via PowerShell. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the logged in user.
Exploitation of this vulnerability requires that a user run cmdlets via PowerShell.
The security update addresses the vulnerability by correcting how Exchange serializes its metadata.
Here you can find the KB entry for the update:
Important: Please be sure to read the information on the known problems with this update in the article linked above. Problems may occur during and after installation.
Click here to download the update:
- Download Security Update for Exchange Server 2019 Cumulative Update 3 (KB4523171)
- Download Security Update for Exchange Server 2019 Cumulative Update 2 (KB4523171)
- Download Security Update for Exchange Server 2016 Cumulative Update 14 (KB4523171)
- Download Security Update for Exchange Server 2016 Cumulative Update 13 (KB4523171)
- Download Security Update for Exchange Server 2013 Cumulative Update 23 (KB4523171)
To install the update, you must first update to a compatible Exchange version. For example, Exchange 2019 CU3, Exchange 2016 CU14 or Exchange 2013 CU23. The update is only supported for these Exchange versions, which of course does not mean that the vulnerability is not included in earlier Exchange versions, for example Exchange 2016 CU 10. For older CU versions, the vulnerability will just no longer be fixed.
