On Tuesday, Microsoft released new security updates for Exchange Server 2013, 2016 and 2019. The update closes the ProxyNotShell vulnerability (CVE-2022-41040 and CVE-2022-41082), which was known and actively exploited in September.
Click here to download the security updates:
Microsoft recommends installing the update as soon as possible. Click here for the article on the Exchange Team Blog:
As always, the security updates are dependent on the CU and are cumulative. Specifically, this means that if the currently supported CU is not installed on the Exchange Server, the correspondingly supported CU must be installed before the SU is installed. As the SUs are also cumulative, previously published SUs do not need to be installed separately. The Microsoft graphic illustrates the procedure for installing the SUs:
The manually created IIS rewrite rules can be removed again after installing this update.