A quick blog on security updates for Exchange Server 2013, 2016 and 2019 released December 8th. These fixes address the following vulnerability:

Exchange 2016 / 2019

• CVE-2020-17117: Microsoft Exchange Remote Code Execution Vulnerability
• CVE-2020-17132: Microsoft Exchange Remote Code Execution Vulnerability
• CVE-2020-17141: Microsoft Exchange Remote Code Execution Vulnerability
• CVE-2020-17142: Microsoft Exchange Remote Code Execution Vulnerability
• CVE-2020-17143: Microsoft Exchange Information Disclosure Vulnerability

Exchange 2013

• CVE-2020-17117: Microsoft Exchange Remote Code Execution Vulnerability
• CVE-2020-17132: Microsoft Exchange Remote Code Execution Vulnerability
• CVE-2020-17142: Microsoft Exchange Remote Code Execution Vulnerability
• CVE-2020-17143: Microsoft Exchange Information Disclosure Vulnerability

Exchange 2010

• CVE-2020-17144: Microsoft Exchange Remote Code Execution Vulnerability

The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU7	Download	15.2.721.6	KB4593465	KB4588741
Exchange 2019 CU6	Download	15.2.659.11	KB4593465	KB4588741
Exchange 2016 CU18	Download	15.1.2106.6	KB4593465	KB4588741
Exchange 2016 CU17	Download	15.1.2044.12	KB4593465	KB4588741
Exchange 2013 CU23	Download	15.0.1497.10	KB4593466
Exchange 2010 SP3 RU31	Download	14.3.509.0	KB4593467

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU6-KB4588741-x64-en.msp.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.