Today, Microsoft published security fixes for Exchange Server 2016 and 2019. These fixes address the following vulnerabilities:

• CVE-2019-1233: Microsoft Exchange Denial of Service Vulnerability
• CVE-2019-1266: Microsoft Exchange Spoofing Vulnerability

The CVE documents contain more details on the vulnerabilities. These exploits can be fixed by single security updates; you can download them here:

Note: KB4515832 supersedes KB4509409 and KB4509408.

Be advised that these Security Updates are Cumulative Update level specific. Unfortunately, the security update carries the same name for different CU’s, and you cannot apply the same update for Exchange 2016 CU13 to Exchange 2016 CU12. I would suggest tagging the Cumulative Update in the file name when you store it, e.g. Exchange2016-KB4515832-x64-en_CU11.msp.

As with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.