The Exchange product group released March 2024 updates for Exchange Server 2016 and 2019.
The vulnerabilities addressed in these Security Updates for Exchange Server are:
| Vulnerability | Category | Severity | Rating |
|---|---|---|---|
| CVE-2024-26198 | Remote Code Execution | Important | CVSS:3.1 8.8 / 7.7 |
The Security Updates for each supported Exchange Server build are linked below:
| Exchange | Download | Build | KB | Supersedes |
|---|---|---|---|---|
| Exchange 2019 CU14 | Download | 15.2.1544.9 | KB5036401 | KB5032146 |
| Exchange 2019 CU13 | Download | 15.2.1258.32 | KB5036402 | KB5032146 |
| Exchange 2016 CU23 | Download | 15.1.2507.37 | KB5036386 | KB5032147 |
OutsideInModule
Be advised that these security updates will disable Oracle Outside In Technology (OIT). Security issues have been discovered in this embedded third-party package (ADV24199947). The consequence of disabling these is that text can no longer be extracted from JPG, TIFF, and AutoCAD files for usage in Exchange Transport Rules or Data Loss Prevention rules. More information is here.
Fixed Issues
Apart from security fixes, these Security Updates also correct the following issues:
| Issue Fixed | Exchange 2016 | Exchange 2019 |
|---|---|---|
| EWS search request displays inaccurate results | Yes | Yes |
Notes
- Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU14 to Exchange 2019 CU13. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
- Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
- If you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update. Be aware of few cmdlet piping issues mentioned here.
On a final note, as with any patch or update, it is recommended to apply this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.
EighTwOne (821) 
Hello,
It seems you invert the 2 exchange versions
Exchange 2019 CU13 => 15.2.1258.32
Exchange 2019 CU14 =>15.2.1544.9
LikeLike
Thanks
LikeLike
I stop receiving Exchange Security Updates since at least 2 months. I was very surprised to receive your updates but not windows update for exchange., I just check and I found my version 15.02.1118.040.
What updates I need in my case? Pls provide links or guidance to download and install. Thank you.,
LikeLike
CUs need to be installed manually, you’ll only receive the following small updates via Win Update, otherwise you’ll be stuck there. You seem to be on the last CU12, so you have to update asap to 14 (or 13, because 14 seems to have some problems still).
However do test it before, the search is not working for me
Check here for builds and downloads
LikeLike
I found some documentation about right procedure to Update to a higher CU and I update to CU14 and then a small Exch Security Update. Looks normal so far. Big Thank you !
LikeLike