Security Update Exchange Server 2013-2019 | Pwn2Own Vulnerability

Microsoft has released critical security update -April 2021- for on-premises Exchange Servers 2013, 2016 and 2019 to fix the following Remote Code Execution vulnerabilities:

• CVE-2021-28480 | Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-28481 | Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-28482 | Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-28483 | Microsoft Exchange Server Remote Code Execution Vulnerability

More details: Microsoft April 2021 Security Update Summary and Exchange Team Blog

Note: the Microsoft security updates released in March 2021 do not remediate against these vulnerabilities.

The Exchange versions affected are:

• Exchange Server 2013
• Exchange Server 2016
• Exchange Server 2019

The updates are available for the following specific builds of Exchange Server:

• Exchange Server 2013 CU23
• Exchange Server 2016 CU19 and CU20
• Exchange Server 2019 CU8 and CU9

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU20 to Exchange 2016 CU19. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU9-KB5001779-x64-en.msp.

IMPORTANT: If manually installing security updates, you must install .msp from elevated command prompt.