Due to the vulnerability that allows privilege escalation I wrote about in this post, Microsoft has released a cumulative update for all supported versions of Exchange Server (Exchange 2010, 2013, 2016 and 2019).

As Microsoft has published in the “You Had Me At Ehlo”, its not a normal practice to include security updates in a cumulative update that the nature of the product forces to deliver them this way.

Several details and actions are included in the official post:

  • The CU fixes contains a critical security update related to the EWS Push notifications
  • After applying the CU, the Exchange server’s credentials stored in Active Directory must be reset
  • The CU decreases the Active Directory rights granted to the Exchange servers. To apply the changes, the setup /PreapareAD parameter must be run.

For complete details, I encourage you to visit the Microsoft official post:
Released: February 2019 Quarterly Exchange Updates

SomoIT post about the vulnerability:
Exchange – New vulnerability that allows privilege escalation