We are contacting you to alert you to Microsoft’s release of patches for multiple different on-premises Microsoft Exchange Server zero-day vulnerabilities that are being exploited by a nation-state-affiliated group.
The vulnerabilities exist in on-premises Exchange Servers 2010, 2013, 2016, and 2019. Exchange Online is not affected. We wanted to ensure you were aware of the situation and would ask that you help drive immediate remediation steps.
Specifically, to minimize or avoid the impacts of this situation, Microsoft highly recommends that you take immediate action to apply the patches for any on-premises Exchange deployments you have or are managing for a customer or advise your customer of the steps they need to take. The first priority being servers that are accessible from the Internet (e.g., servers publishing Outlook on the web/OWA and ECP).
To patch these vulnerabilities, you should move to the latest Exchange Cumulative Updates and then install the relevant security updates on each Exchange Server.
We are committed to working with you through this issue. For additional help, please open a ticket with our Partner Center or contact the help desk.
Resources and information about this issue for partners
Exchange patch information