Security updates have been released for Exchange 2013, Exchange 2016 and Exchange 2019.
The updates fix the following Vulnerabilities;
- CVE-2022-23277: Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2022-24463: Microsoft Exchange Server Spoofing Vulnerability (does not apply to Exchange 2013)
None of the them are currently publicly disclosed nor being exploited. However, the exploitability assessment of CVE-2022-23277 is regarded as “Exploitation More Likely”. It is therefor important to update as soon as possible.
The update for Exchange 2013 also contains a critical change for continued support for add-ins. Without this update, you will not be able to install or start any new Office add-ins.
- KB5012925: RFC certificate timestamp validation in Exchange Server 2013
View: Exchange Blog: Released: March 2022 Exchange Server Security Updates
View: Description of the security update for Microsoft Exchange Server 2019 and Exchange 2016: March 8, 2022 (KB5012698)
View: Description of the security update for Microsoft Exchange Server 2013: March 8, 2022 (KB5010324)