National Cyber Security Centre
Security updates released for Microsoft Exchange Servers
The NCSC is encouraging organisations to install critical updates following a number of vulnerabilities being addressed in Microsoft Exchange.
As part of Microsoft's scheduled April update cycle, a number of critical severity vulnerabilities were addressed in Microsoft Exchange. We have no information to suggest that these vulnerabilities are being used in active exploitation. However, given the recent focus on Exchange, we recommend the installation of updates as soon as practicable, as attackers may seek to build exploit capability which could be used against systems before the updates are applied.
The vulnerabilities affect Microsoft Exchange Server. The affected versions are:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
Organisations running an out-of-support version of Microsoft Exchange should update to a supported version without delay.
Exchange Online customers are already protected.
The NCSC recommends following vendor best practice advice in the mitigation of vulnerabilities. In this case, the most important aspect is to install the latest security updates immediately. The April 2021 security update fixes a number of security vulnerabilities and more information can be found on Microsoft's website.
More information on installing these updates is available in Microsoft’s Exchange blog.
If organisations are unsure about how to update or uncertain whether updates have installed successfully, please refer to the Microsoft support documents. If organisations are unsure about whether they have affected servers, or are unsure of the update status, consult the Microsoft Exchange Server Health Checker.
Latest News from
National Cyber Security Centre
Cyber Advisor26/07/2022 12:05:00
New Cyber Advisor scheme will offer assured cyber security consultancy services to small and medium sized companies, helping them achieve a minimum standard of security.
Solicitors urged to help stem the rising tide of ransomware payments11/07/2022 11:15:00
The NCSC and ICO share joint letter with the Law Society after increases in ransomware payments.
NCSC urges organisations to prepare for the long haul on Russia-Ukraine05/07/2022 15:20:00
Guidance issued advises how organisations can avoid staff burnout during an extended period of heightened cyber threat.
Commercial cyber capabilities must be used legally and responsibly, says UK NCSC CEO29/06/2022 16:20:00
Lindy Cameron's speech at Tel Aviv Cyber Week emphasised the importance of partnerships and international regulation of sophisticated cyber capabilities.
UK joins international cyber agency partners to release supply chain guidance12/05/2022 14:20:00
Joint advisory sets out practical steps to take for managed service providers and their customers to protect themselves.
NCSC joins industry to offer unprecedented protection for public from scams12/05/2022 13:20:00
Data sharing collaboration will allow ISPs to instantly block access to fraudulent sites.
Organisations offered streamlined guidance to help them move to the cloud12/05/2022 11:15:00
Cloud security guidance refreshed to support small businesses to large organisations moving to cloud-based services.
Chancellor of the Duchy of Lancaster speech at Cyber UK11/05/2022 16:12:00
Steve Barclay today gave a speech at the Cyber UK conference in Wales.