Microsoft Exchange Server: January 2023 security updates address five vulnerabilities

It's the second Tuesday of the month again - Microsoft Patch Day, including for Microsoft Exchange Server. The server versions 2013, 2016 and 2019 will again receive their current security patches. This issue focuses on five vulnerabilities, none of which are critical according to Microsoft.
Every two months Microsoft releases new updates for their Exchange Server On-Premises. In most cases, these receive security updates for new CVEs. Regardless of this, the Microsoft Windows Server is updated every month on the second Tuesday of the month. Admins should therefore not only import the following Exchange updates, but also check their Windows server for updates in Windows Update.
Note at this point: The Exchange Server 2013 end of support seam. From April 11, 2023 there will be no support or updates for the Progive more. Exchange servers 2016 and 2019 have their (extended) end of support on October 14, 2025.
Jump to section
Exchange Server January Updates: The CVE Listing
With this security update, the developers stuff the following CVEs for all three server versions Exchange Server 2013, 2016 and 2019:
- CVE-2023-21745 (important)
- CVE-2023-21762 (important)
- CVE-2023-21761 (important)
- CVE-2023-21764 (important)
- CVE-2023-21763 (important)
Even if, according to Microsoft, there are no indications that the vulnerabilities are being exploited on systems, the updates should be installed as soon as possible. As usual, this can change quickly with the release of security updates as attacks now become more interesting.
Security patches for Exchange 2013, 2016 and 2019: download links
Create backups (and test them first!), plan enough time and inform the users about the downtime - as usual, one should also not forget. We save you time and list the download links directly here:
Frequently asked questions:
- Previous security updates not installed? As always, these are cumulative, that is, building up and thus independent of each other. Simply import this update and all previous gaps are also filled. About them too Updates for the zero-day vulnerability from September 2022 ("ProxyNotShell").
- Currently running CU version not included? In this case, the Exchange Server must first be updated to the latest CU version.
- Check if everything worked? With the Health Checker Script Microsoft can check whether all updates have been imported successfully.
Security update may lead to OWA bug
Like the company in Exchange blog also lets you know there is a known issue with this month's security update. Namely, once the update is installed on an Exchange Server 2016 or 2019, web page previews for URLs pasted in OWA are not rendered correctly. This error should be fixed in the next update.