The July 2021 Microsoft Patch Tuesday updates were released on July 13. One of those patches addressed a publicly disclosed but unexploited, zero-day vulnerability classified as CVE-2021-34473 - Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability affects on-premises Exchange servers 2013, 2016, and 2019, and was assigned a severity of critical.
Course of Action
In order to expedite remediation of CVE-2021-34473, a cumulative update (CU) will need to be manually applied to any managed patching customers who have on-premises Microsoft Exchange Server 2013, 2016, and 2019. Systems Engineering will reach out to the affected customers ahead of their regular patching schedule to install the CU to the Exchange server, then apply the July patches.
Clients who subscribe to managed patching services, which include IT Essentials, Network Security, or Network Monitoring (servers only), and are running the latest Exchange CU will receive the July updates as part of their regular patching schedule.
For clients who do not subscribe to a Systems Engineering patching service and have an affected on-premises Exchange server, Microsoft recommends applying the security updates to address the vulnerability immediately.
NOTE: Exchange Online customers are already protected and no additional action is needed.
If you have questions about this security alert, please reach out to your Account Manager.