skip to Main Content

March 2021 Exchange Server Security Updates

Microsoft released several security updates (SUs) for Microsoft Exchange Server to address vulnerabilities that have been used in limited targeted attacks. Due to the critical nature of these vulnerabilities, we recommend that customers apply the updates to affected systems immediately to protect against these exploits and to prevent future abuse across the ecosystem.

These vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.

Microsoft has released a set of out of band security updates for vulnerabilities for the following versions of Exchange Server:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

Security updates are available for the following specific versions of Exchange:

If you are not at these Exchange Server CU versions, please update right now and apply the above patch.

These vulnerabilities are used as part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.

We recommend prioritizing installing updates on Exchange Servers that are externally facing. All affected Exchange Servers should ultimately be updated.

Further information and guidance  

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has One Comment

  1. Hi Ali,

    You wrote this in an earlier article: “These vulnerabilities are used as part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access.”

    Is it recommended to use vpn even after the upgrade? In many cases, using vpn makes it difficult for users to connect.

    thanks, John

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top