Microsoft has confirmed a 0-day (response in progress) vulnerability to their Exchange Server software for versions 2013, 2016, and 2019. Customers using Exchange Online that never used Exchange onsite or fully completed their migration to Exchange Online (no hybrid Exchange servers) are not affected. This particular vulnerability does require a valid username and password, but the impact is total system control. Due to the critical risk of this vulnerability, immediate proactive measures to protect your Exchange server are highly recommended. Microsoft supplied a temporary configuration workaround that requires no downtime and takes only a few minutes to complete.
Once Microsoft releases a software patch to patch the vulnerability permanently, it is recommended to review the release notes and apply the update as appropriate for your environment.
You can find technical details regarding the vulnerability and the temporary configuration workaround in the following Microsoft Security Response Center blog link:
To discuss corrective actions, proactive, secure perimeter validation, real-time log aggregation and endpoint solutions, or other technology consulting needs, reach out to your Xiologix representative or the helpdesk at email@example.com.
Update 5:27PM 9/30/22:
Customers with Exchange 2013 and Windows Server 2012 R2 may need an additional hotfix for Windows Server for the URL Rewrite plugin to work properly. The ‘Universal C Runtime’ update can be downloaded from Microsoft at the following link: