Security updates have been released for Exchange 2013, Exchange 2016 and Exchange 2019.
The updates fix the following vulnerability;
- CVE-2022-21978: Microsoft Exchange Server Elevation of Privilege Vulnerability
The vulnerability is currently not publicly disclosed nor being exploited. The exploitability assessment is regarded as “Exploitation Less Likely”. However, it is still important to update as soon as possible.
After applying the update, it is required to run
/PrepareAllDomains once in your environment as well or otherwise you’d still not be protected from the vulnerability.
Also note that all Security Updates are now released as .exe files instead of .msp files. The main reason for this is to ensure that the installation runs with the required permissions and preventing that your Exchange installations ends up in a bad state. The .msp file can still be extracted from the .exe file or obtained via the Microsoft Update Catalog by extracting the .cab file.
View: Exchange Blog: Released: May 2022 Exchange Server Security Updates
View: Description of the security update for Microsoft Exchange Server 2016 and 2019: May 10, 2022 (KB5014261)
View: Description of the security update for Microsoft Exchange Server 2013: May 10, 2022 (KB5014260)