Skip to content

Affected Systems: Microsoft Exchange Server 2013, 2016, and 2019

Description:

Alongside the release of Microsoft’s August 2022 security update, Microsoft has advised that in order to fully patch some of the vulnerabilities disclosed this month requires Microsoft Exchange Server administrators to manually enable Windows Extended Protection.

The August 2022 security update included patches to six new vulnerabilities, three of which are of critical severity – CVE-2022-21980, CVE-2022-24516, and CVE-2022-24477. All of these critical vulnerabilities allow for elevation of privileges.

Preventions:

The August 2022 update for Microsoft Exchange Server 2019 and 2016 can be found here, Microsoft Exchange Server 2013 update can be found here.

Microsoft has developed a script to help users enable Extended Protection. This script can be found here, and documentation for it can be found here. Microsoft has noted that it is important for users to fully understand the prerequisites needed for Extended Protection.

Related Links: