Microsoft has released security updates for Exchange vulnerabilities affecting Exchange Server 2019 and 2016. However, these updates will cripple the server if it is not English-speaking. However, Microsoft now offers a workaround so that the servers can be patched. After all, it's about a vulnerability with a CVSS value of 9.8.
Some administrators who implement necessary security updates immediately have experienced a bitter surprise. When installing the security updates Exchange Server 2019 and Exchange Server 2016, error messages rained down and some servers were paralyzed afterwards. The problem: As soon as the server was not operated in English, the update failed and produced sometimes fatal errors.
Microsoft now offers a workaround
The security update for Exchange is of course recommended by all experts, since the vulnerability is considered critical. The CVSS score is 9.8 out of 10 and should be closed immediately. Microsoft has developed a workaround so that administrators can implement this quickly. Although this can be implemented relatively well, it is much more effort than an automated update. Especially when several Exchange servers need to be patched.
Exchange patch for critical vulnerability
The current vulnerability with CVE-2023-21709 allows privileges to be increased under Exchange and should therefore be closed quickly. Almost exactly a year ago, Exchange had two 0-day vulnerabilities that were massively attacked. One vulnerability enabled Server-Side Request Forgery (SSRF) attacks, while the second, identified as CVE-2022-41082, enabled Remote Code Execution (RCE) if PowerShell was exposed to the attacker.
More at Microsoft.com