Exchange Server security updates (November 8, 2022)

Update[German]Microsoft has released security updates for Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 as of November 8, 2022. These updates are intended to address NotProxyShell vulnerabilities that have been known (and already exploited) since late September 2022, as reported by external security partners.


Microsoft has published the Techcommunity post Released: November 2022 Exchange Server Security Updates with a description of the security updates.

Exchange November 2022 updates

Security updates are available for the following Exchange Server CU versions (links from Microsoft, some of which have downloads from August 2022 – but the KB articles are linked correctly in the details).

  • Exchange Server 2013 CU23  (upport ends in April 2023)
  • Exchange Server 2016 CU22, CU23
  • Exchange Server 2019 CU11, CU12

Microsoft writes in the Techcommunity post that the November 2022 security updates include fixes for the zero-day vulnerabilities that were publicly reported on September 29, 2022 (CVE-2022-41040 and CVE-2022-41082).

at a critical infrastructure was attacked in early August 2022 during security monitoring and incident response activities. During the investigation, GTSC's Blue Team experts determined that the attack exploited an undisclosed Exchange vulnerability, i.e., a 0-day vulnerability. I had reported in the blog post Exchange Servers are attacked via 0-day exploit (Sept. 29, 2022).

As a result of these reports, Microsoft attempted to close the vulnerabilities with workarounds, but this turned into a "drama" with new filter rule fix notices being released daily. See my links at the end of the article that lead to blog posts reporting on this issue and Microsoft's workarounds.

Anyone who used these workarounds (including disabling Remote PowerShell) should undo them after installing the November 2022 update.

Note Microsoft's guidance on update installation. Note that Exchange servers are updated to the current CU before the November 2022 updates are installed (see the graphic above and Microsoft's note). Microsoft's HealthChecker PowerShell script can be used to check.

These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities covered in these SUs and do not need to take any action other than updating all Exchange servers in their environment.

Similar articles:
Exchange Server Security updates (August 9, 2022)
Exchange Update errors and information (April 13, 2021)
Exchange Server security updates (October 11, 2022)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange 2016/2019: Outlook problems due to AMSI integration
Exchange Server September 2021 CU comes Sept. 28 with Microsoft Exchange Emergency Mitigation Service
Exchange Server 2016-2019: Custom attributes in ECP no longer updatable after CU installation (July 2021)
Exchange Server 2013: Microsoft's tips on decommissioning the systems
Update for Exchange Extended Protection script, but still error
Tip: Exchange Health Checker – Script extensions by Frank Zöchling


Exchange Servers are attacked via 0-day exploit (Sept. 29, 2022)
Microsoft's recommendations for Exchange Server 0-day vulnerability ZDI-CAN-18333
Update on Exchange Server 0-day Vulnerability ZDI-CAN-18333: Fixes, Scripts and EMS Solution
Exchange Server: Microsoft updates it's mitigation for the 0-day ProxyNotShell vulnerability (October 5, 2022)
Exchange Server: Microsofts improves solutions for 0-day mitigation again (October 8, 2022)
Exchange Server: New 0-day (not NotProxyShell, CVE-2022-41040, CVE-2022-41082)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software, Update and tagged , , , . Bookmark the permalink.

One Response to Exchange Server security updates (November 8, 2022)

  1. SebiM says:

    hi, installed the latest SU for Exchange 2016 CU23, but it shows still Security Vulnerabilities when i run the Health Check. any ideas?

Leave a Reply

Your email address will not be published. Required fields are marked *