Security Updates Exchange 2013-2019 (Feb2023)

[20Feb] Added information regarding issues reported.

The Exchange product group released February updates for Exchange Server 2013, 2016 and 2019.

The vulnerabilities addressed in these Security Updates are:

CVE-2023-21529Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7
CVE-2023-21706Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7
CVE-2023-21707Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7
CVE-2023-21710Remote Code ExecutionImportantCVSS:3.1 7.2 / 6.3

The Security Updates for each supported Exchange Server build are linked below:

Exchange 2019 CU12Download15.2.1118.25KB5023038KB5022193
Exchange 2019 CU11Download15.2.986.41KB5023038KB5022193
Exchange 2016 CU23Download15.1.2507.21KB5023038KB5022143
Exchange 2013 CU23Download15.0.1497.47KB5023038KB5022188

Note: As mentioned last month, be advised that Exchange Server 2013 support will end in April, 2023. This means: Exchange 2013 will stop to receive security updates. Recommendation is to upgrade to a more recent version, or move to Exchange Online.

Other Issues
Apart from security fixes, these SUs also fix the following:

IssueExchange 2013Exchange 2016Exchange 2019
Export-UMPrompt fails with InvalidResponseExceptionYesYesN/A
Edge Transport service returns an “EseNtOutOfSessions” ExceptionYesYesYes
Exchange services in automatic startup mode do not start automaticallyYesYesYes
Data source returns incorrect checkpoint depthYesYesYes
Serialization fails while tried accessing Mailbox Searches in ECPYesYesYes
Transport delivery service mishandles iCAL eventsYesYesYes


  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative and you only need to install the latest SU for your CU.
  • Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing.
  • If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers, or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

[20Feb] Shortly after release, people reported through the comments that EWS started having issues after deploying the security update. Symptoms reported were problems with (server side) searches, add-ins not loading, and calendar operations such as scheduling or sharing taking a long time to load. Since it’s EWS having problems, applications depending on this protocol also may stop to work, such as Teams.

Meanwhile, Microsoft acknowledged an issue with the initial publication, and published workaround. If experience issues and see the event 4999 in your Eventlog:

E12IIS, c-RTL-AMD64, 15.01.2507.021, w3wp#MSExchangeServicesAppPool, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.EnforceBlockReason, M.E.Diagnostics.BlockedDeserializeTypeException, 437c-dumptidset, 15.01.2507.021.

follow the instructions in the following KB article link:

  1. On each Exchange server, create a registry key
    New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\ExchangeServer\v15\Diagnostics -Name 'DisableBaseTypeCheckForDeserialization' -Value 1 -Type String
  2. Create a global override setting
    New-SettingOverride -Name 'Adding learning location ClientExtensionCollectionFormatter' -Component Data -Section DeserializationBinderSettings -Parameters @('LearningLocations=ClientExtensionCollectionFormatter') -Reason 'Deserialization failed'
  3. If you cannot wait until the override configuration kicks in (may take an one hour), refresh it manually:
    • Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh
    • Restart IIS and the Windows Activation Proces on each server
      Restart-Service -Name W3SVC, WAS -Force

Be advised that event 4999 might still show up in your Eventlog, and it has been reported that this might not completely does away with the issues reported. Keep an eye on the original post and EHLO blog for any future updates.

2 thoughts on “Security Updates Exchange 2013-2019 (Feb2023)

  1. Hi Michel, looks like guidance regarding installation of SUs on servers or workstations running Exchange Management Tools only have changed:

    Do we need to install SUs on all Exchange Servers within our organization? What about ‘Management Tools only’ machines?

    Our recommendation is to install Security Updates on all Exchange Servers as well as servers or workstations running Exchange Management Tools only, which will ensure that there is no incompatibility between management tools clients and servers.

    Source: FAQ Section from



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.