Security Updates Exchange 2013-2019 (Mar2023)

The Exchange product group released March updates for Exchange Server 2013, 2016 and 2019. Be advised that the Exchange team also put out a notice for fixed vulnerability in Outlook (CVE-2023-23397), together with a supporting script to analyze mailboxes for this possible exploit (link), which is rather uncommon.

The vulnerability addressed in these Security Updates for Exchange Server is:

CVE-2022-21978Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7

The Security Updates for each supported Exchange Server build are linked below:

Exchange 2019 CU12Download15.2.1118.26KB5024296KB5023038
Exchange 2019 CU11Download15.2.986.42KB5024296KB5023038
Exchange 2016 CU23Download15.1.2507.23KB5024296KB5023038
Exchange 2013 CU23Download15.0.1497.48KB5024296KB5023038

Note: As mentioned last month, be advised that Exchange Server 2013 support will end in April, 2023. This means: Exchange 2013 will stop to receive security updates. Recommendation is to upgrade to a more recent version, or move to Exchange Online.

Other Issues
Apart from security fixes, these SUs also fix the following:

IssueExchange 2013Exchange 2016Exchange 2019
You can’t access Toolbox on Exchange after enabling EnableSerializationDataSigningYesYesYes
EEMS stops responding after TLS endpoint certificate updateYesYesYes
Get-App and GetAppManifests fail and return an exceptionYesYesYes
EWS does not respond and returns an exceptionYesYesYes
An exception is returned while opening a template in the Exchange ToolboxYesYesYes


  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative and you only need to install the latest SU for your CU.
  • Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing.
  • If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers, or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.