Security Updates Exchange 2013-2019 (Nov2019)

Exchange2019LogoA quick blog on recently published security updates for Exchange Server 2013 up to Exchange Server 2019. These fixes address the following vulnerabilities:

  • CVE-2019-1373: Microsoft Exchange Remote Code Execution Vulnerability

The CVE documents contain more details on the vulnerabilities. The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.

Exchange 2019 CU3Download15.2.464.7 KB4523171KB4515832
Exchange 2019 CU2Download15.2.397.9 KB4523171 KB4515832
Exchange 2016 CU14Download15.1.1847.5 KB4523171 KB4515832
Exchange 2016 CU13Download15.1.1779.7 KB4523171 KB4515832
Exchange 2013 CU23Download15.0.1497.4 KB4523171 KB4509409

Be advised that the Security Updates for Exchange 2013-2019 are Cumulative Update level specific. Unfortunately, the security update carries the same name for different CUs, and you cannot apply the update for Exchange 2016 CU14 to Exchange 2016 CU13. I would suggest tagging the Cumulative Update in the file name when you store it, e.g. Exchange2016-CU14-KB4523171-x64-en.msp.

As with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.

10 thoughts on “Security Updates Exchange 2013-2019 (Nov2019)

  1. The Exchange 2013 CU23 version of this security update broke the eDiscovery PST Export Tool for us. When it would actually start exporting to a .pst file, it stops with the error message ‘FailedToLoadStatus’ instead.

    The solution is this: if you search for the file called “” under your user profile, under AppData, you will find several versions of it (assuming you used the PST Export Tool before this security update was installed on your Exchange Server). If you look at their properties, specifically their versions, the most recent one (included with this patch) will be 15.0.1497.4. What you need to do is find a copy of an earlier version of this dll under your AppData (for example 15.0.1497.0, which is the CU23 version), and replace/overwrite all instances of the 15.0.1497.4 version with it (still under AppData). Then you can just start the tool again, and it will work.

    Liked by 1 person

    • my problem was very similar, but had to open case with M$ – here is what we had to do
      • This is a known issue in our product. After installing a security patch, the Microsoft.Exchange.Diagnostics.dll goes missing from the client machine.
      • The fix for this issue is mentioned below:
      o Navigate to C:\Program Files\Microsoft\Exchange Server\V15\Bin on any Exchange mailbox server. [In your case Server: ILDREX13-01]
      o Copy the “Microsoft.Exchange.Diagnostics.dll” file.
      o Paste it in the AppData folder (install location of PST Export tool) on the client machine. [Note: By client machine, we mean the machine from where you are trying to export to PST]
      o To find the location on the client machine, to paste it to: Go to your client machine and open file explorer.
      o In the file explorer, Navigate to: C:\Users\YOURUSER\AppData\Local\Apps\2.0
      o Then, search for in the file explorer.
      o Out of all the paths that you get, look for all the paths/location where you can find files with extension .dll
      o When you find that path or paths, make sure to paste the Microsoft.Exchange.Diagnostics.dll in all these paths with .dll files, in your client machine.
      o Close all browser windows and re-try to export to PST after the above step.


  2. Robert, thank you so much for sharing this solution! Worked great on our Exchange 2016 CU15. Only difference is I changed out the DLL files in the Exchange “bin” folder on the server. I renamed the newer file, replaced it with the earlier version, and no more error.


  3. Thank you Robert, I’ve been looking all day for a fix to this. It figures you never notice something like being broke after a CU until it’s an urgent request.


  4. Still a problem with the latest CU for Exchange 2016 and this article is the only one I’ve seen that addresses this. Thank you. 🙂

    But has anyone found a way to fix it server side? Sending a dll to our techies is at best a workaround.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.