Another month, another Patch Tuesday! A quick blog on May’s security updates for Exchange Server 2013 up to 2019.

These fixes address the following vulnerabilities:

Vulnerability	Category	Severity	Rating
CVE-2021-31209	Spoofing	Important	CVSS:3.0 6.5 / 5.7
CVE-2021-31207	Security Feature Bypass	Moderate	CVSS:3.0 6.6 / 5.8
CVE-2021-31198	Remote Code Execution	Important	CVSS:3.0 7.8 / 6.8
CVE-2021-31195	Remote Code Execution	Important	CVSS:3.0 6.5 / 5.7

These vulnerabilities can be fixed by single security update for Exchange, which you can find below:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU9	Download	15.2.858.12	KB5003435	KB5001779
Exchange 2019 CU8	Download	15.2.792.15	KB5003435	KB5001779
Exchange 2016 CU20	Download	15.1.2242.10	KB5003435	KB5001779
Exchange 2016 CU19	Download	15.1.2176.14	KB5003435	KB5001779
Exchange 2013 CU23	Download	15.0.1497.18	KB5003435	KB5001779

More detailed information can be found at the original blog post here, which also mentions some known issues and workarounds which you might encounter after deploying these updates.

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU9 to Exchange 2019 CU8. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU9-KB5003435-x64-en.msp.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation (other words: Do not just double-click on the .MSP file). And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach. The rating implies a form of urgency.