IT Share NVP -ViettechgroupVN-Phuong Nguyen blog | Share make us stronger Knowledge is Sharing Viettechgroup- Sharing Make Us Stronger-Kiến thức CNTT là sự chia sẻ- NVP-Chia sẻ làm chúng ta mạnh hơ| ITShareNVP Channel | Phương Nguyễn | Phuong Nguyen Blog| Lưu trữ kiến thức chia sẽ kinh nghiệm CNTT | Phương Nguyễn

Released: October 2023 Exchange Server Security Updates


Microsoft has released Security Updates (SUs) for vulnerabilities found in:

  • Exchange Server 2019
  • Exchange Server 2016

SUs are available for the following specific versions of Exchange Server:

  • Exchange Server 2019 CU12 and CU13
  • Exchange Server 2016 CU23

The October 2023 SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to immediately install these updates to protect your environment.

These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed by these SUs and do not need to take any action other than updating any Exchange servers or Exchange Management tools workstations in their environment.

More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).

CVE-2023-21709 now has a better solution: install update for CVE-2023-36434

During the release of August 2023 SUs, we recommended to use a manual or scripted solution and disable the IIS Token Cache module as a way of addressing CVE-2023-21709. Today, Windows team has released the IIS fix for root cause of this vulnerability, in the form of fix for CVE-2023-36434. We recommend installing the IIS fix after which you can re-enable Token Cache module on your Exchange servers.

If you did not do anything to address CVE-2023-21709 yet:

If you have followed our August 2023 recommendation and disabled the Token Cache module (either by using single-line command or our CVE-2023-21709.ps1 script), or want to address possible performance concerns you have seen since disabling the module, do the following:

  • Install update for CVE-2023-36434 on all your Exchange Servers.
  • Re-enable IIS Token Cache module by doing one of the following:
    • To enable Token Cache module on individual server only, run the following from the elevated PowerShell window:

New-WebGlobalModule -Name “TokenCacheModule” -Image “%windir%\System32\inetsrv\cachtokn.dll”

  • To enable Token Cache module on all servers in the organization (after Windows Updates were installed), you can use our CVE-2023-21709.ps1 as Administrator in Exchange Management Shell (EMS):

.\CVE-2023-21709.ps1 -Rollback

We are making updates to all related August 2023 documentation pages and scripts as well as Health Checker to reflect our new recommendation.

Update installation

The following update paths are available:

thumbnail image 1 of blog post titled
Released: October 2023 Exchange Server Security Updates

Known issues with this release

  • There are no known issues with this update.

Issues resolved in this release (see KB for full list)


We are running a non-English operating system, and the October 2023 SU fails with an “Error 0x80070534: failed to get sid for account: Network Service” error. Help!
As outlined in Re-release of August 2023 Exchange Server Security Update packages, it is crucial to uninstall the August 2023 SUv1 and revert the workaround prior installing the October 2023 SU. If you are unsure if/which August 2023 update package you run, make sure to run the latest version of the Exchange Health Checker script first and keep an eye out for the following warning which indicates that the August 2023 SUv1 package is installed: “Error: August 2023 SU 1 Problem Detected. More Information:”.

We disabled IIS Token Cache as a part of August 2023 update. Does Exchange require IIS Token Cache to run? Must we re-enable it?
Re-enabling IIS Token Cache after installing the update for CVE-2023-36434 is optional. Exchange Server does not require IIS Token Cache. We wanted to call the CVE-2023-36434 update because we heard from some customers who had concerns about performance of their clients after IIS Token Cache is disabled. If you already disabled IIS Token Cache and want to keep it disabled, Exchange Server does not require it. But please make sure to install all Windows Updates anyway. 

Our organization is in Hybrid mode with Exchange Online. Do we need to do anything?
Exchange Online is already protected, but this SU needs to be installed on your Exchange servers, even if they are used only for management purposes. If you change the auth certificate after installing an SU, you should re-run the Hybrid Configuration Wizard.

The last SU we installed is a few months old. Do we need to install all SUs in order to install the latest one?
SUs are cumulative. If you are running a CU supported by the SU, you do not need to install all SUs in sequential order; simply install the latest SU. Please see this blog post for more information.

Do we need to install SUs on all Exchange Servers within our organization? What about ‘Management Tools only’ machines?
Our recommendation is to install SUs on all Exchange Servers and all servers and workstations running the Exchange Management Tools to ensure compatibility between management tools clients and servers. If you are trying to update the Exchange Management Tools in the environment with no running Exchange servers, please see this.

Documentation may not be fully available at the time this post is published.

Updates to this blog post:

  • 10/12/23: Added a note that additional steps might be necessary to address password prompts in multi-forest deployments (issues resolved section)
  • 10/11/23: Added a FAQ for setup error that can be encountered if August 2023 SUv1 was installed on Exchange running on non-English OS
  • 10/11/23: Added a FAQ clarifying that re-enabling IIS Token Cache is not required but is optional

The Exchange Server Team

Được đóng lại.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. AcceptRead More