By Michael Bianchi, Senior Systems Engineer
On 5/8 Microsoft published a security update for all supported versions of Exchange, detailed here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8154.
A vulnerability was found that could enable an attacker to run arbitrary code under the context of the System user and install a program, compromise or destroy data, and create new user accounts by sending a specially crafted email (details undisclosed) to the server.
Exchange 2010 customers must install the latest update rollup release which can be found here: https://support.microsoft.com/en-us/help/4091243/update-rollup-21-for-exchange-server-2010-service-pack-3.
Exchange 2013 and 2016 customers must be on the latest or next previous CU and also apply the respective patch which can be found here: https://support.microsoft.com/en-us/help/4092041/description-of-the-security-update-for-microsoft-exchange-server-2013.
All other versions of Exchange are to be considered vulnerable with no patch forthcoming. Under Microsoft’s support agreement, only the latest or next previous patch is supported – see more information here – https://technet.microsoft.com/en-us/library/ff728623%28v=exchg.150%29.aspx
If you require assistance with this matter, please contact Helient at firstname.lastname@example.org.