Microsoft Really Wants People To Patch Their Exchange Servers

‘We’ve said it before, we’re saying it now, and we’ll keeping saying it: it is critical to keep your Exchange servers updated,’ the Exchange team said in a blog post.


Seemingly unprompted by any specific new incident, Microsoft’s Exchange unit on Thursday posted a plea to customers to patch their Exchange servers, citing the massive and ongoing threat from malicious actors looking to exploit critical vulnerabilities in the on-premises systems.

“We’ve said it before, we’re saying it now, and we’ll keeping saying it: it is critical to keep your Exchange servers updated,” the Exchange team said in a blog post.

[Related: Microsoft Slowdown? Partners Investing Despite ‘More Cost-Conscious’ Customers]

Sponsored post

The risk was most recently underscored in the cyberattack against the Rackspace Hosted Exchange service. The Dec. 6 ransomware attack against the service was enabled by a zero day exploit associated with a recently disclosed Exchange vulnerability (tracked at CVE-2022-41080), and saw hackers gain access to dozens of accounts, while tens of thousands lost access to their historical emails in the wake of the attack.

In September, the latest remote code execution vulnerability in Exchange, known as “ProxyNotShell” (CVE-2022-41082), was disclosed by researchers. Prior critical Exchange vulnerabilities included the four widely exploited bugs that were revealed in early 2021 as well as the ProxyShell vulnerability, disclosed in August 2021.

In the blog post Thursday, Microsoft’s Exchange team noted that “attackers looking to exploit unpatched Exchange servers are not going to go away. There are too many aspects of unpatched on-premises Exchange environments that are valuable to bad actors looking to exfiltrate data or commit other malicious acts.”

Keeping Exchange servers fully up-to-date entails “installing the latest available Cumulative Update (CU) and Security Update (SU) on all your Exchange servers (and in some cases, your Exchange Management Tools workstations), and occasionally performing manual tasks to harden the environment, such as enabling Extended Protection and enabling certificate signing of PowerShell serialization payloads,” the Exchange unit said in the post.

From the post:

To defend your Exchange servers against attacks that exploit known vulnerabilities, you must install the latest supported CU (as of this writing, CU12 for Exchange Server 2019, CU23 for Exchange Server 2016, and CU23 for Exchange Server 2013) and the latest SU (as of this writing, the January 2023 SU). Exchange Server CUs and SUs are cumulative, so you only need to install the latest available one. You install the latest CU, then see if any SUs were released after the CU was released. If so, install the most recent (latest) SU.

Russell Reeder, CEO of Netrix Global, No. 190 on the 2022 CRN Solution Provider 500, said there’s no doubt that Exchange servers represent a top security concern for any organizations that have them.

“If you have an Exchange server, and you think that it’s OK just because you put in the last patch — there’s always going to be another patch you‘re going to need,” Reeder said.

Ultimately, wherever possible, “everyone should use Microsoft — their full M365 solution — or go Google,” he said. If it can be avoided, “you shouldn’t have any Exchange — whether it’s in your private cloud or in your closet.”