KB5014261 for Exchange Servers 2016 and 2019

Microsoft released May month’s security update for Exchange Servers 2016 and 2019 on 10th of May, 2022. This update will supersede the previous month’s Exchange security update, KB5012698. We look at the key aspects on KB5014261 for Exchange Servers 2016 and 2019.

Salient points about KB5014261 for Exchange Servers 2016 and 2019:

KB5014261 is a security update that supersedes KB5012698.
KB5014261 is needed to resolve the ‘Elevation of Privilege’ vulnerability affecting Exchange Servers. More details of the affected versions of Exchange Servers are shared below.
This update can be applied to Exchange Server 2016 Cumulative Update 22 and Cumulative Update 23.
On a similar note, the KB5014261 security update can be applied to Exchange Server 2019 Cumulative Update 11 and Cumulative Update 12.
All the previous versions of Exchange Server can be upgraded to the Exchange Server 2016 or Exchange Server 2019 before patching with KB5014261.
Once the security update KB5014261 is deployed, you will need to execute specific setup commands on the Exchange Server to mitigate the threat associated with CVE-2022-21968.
Post-deployment of KB5014261, the Exchange Server will require a reboot. Please plan for a maintenance window to patch the Exchange Servers.

KB5014261 – Vulnerability resolved in the security update

Exchange Servers 2016 (CU 23 and CU 24) and Exchange Servers 2019 (CU 11 and CU 12) are impacted by the CVE-2022-21978 vulnerability. This can cause an ‘Elevation of Privilege’ vulnerability.

Salient points about CVE-2022-21978 vulnerability for Exchange Servers:

This is a CVSS 8.2 vulnerability. This makes for a vulnerability that has ‘HIGH’ severity for the infrastructure.
The exploitability assessment for CVE-2022-21978 suggests that this vulnerability has not been exploited yet. It is less likely to be exploited.
The attacker needs to be authenticated to the target Exchange Server before the vulnerability can be exploited. The attacker could exploit the vulnerability to assume the rights of the Domain Administrator.

CVE-2022-21978 on Exchange Server needs to be mitigated by following the process below:

Deploy the KB5014261 security update on Exchange Server 2016 and Exchange Server 2019.
Once deployed, you will need to run the /PrepareAllDomains command from the Exchange Server path.
The Exchange Server path is Program Files\Microsoft\Exchange Server\v15\Bin. From this path, you will need to run one of the Setup commands given below:

Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAllDomains
Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAllDomains

These commands can be executed on Exchange Server 2016 CU 22 and CU 23. On a similar basis, these commands can also be executed on Exchange Server 2019 CU 11 and CU 12. Before you can run the /PrepareAllDomains commands, you will need to make sure that you are a member of the Enterprise Admin security group.

You can read the mitigation process in detail on the Microsoft website that covers CVE-2022-21978.

How can I get KB5014261 for Exchange Servers 2016 and 2019?

KB5014261 for Exchange Servers is available through all the regular means of Windows Updates.

You can apply KB5014261 automatically through Windows Update.
You can also download the update manually from the Microsoft Download Center.
KB5014261 updates are released for four editions of Exchange Server. These CAB files can be downloaded directly from the Microsoft Update Catalog page for KB5014261. On the catalog page, you will see different options for KB5014261.
KB5014261 can be downloaded for Exchange Server 2016 CU 22. The CAB file has a size of 150.2 MB.
KB5014261 can be downloaded for Exchange Server 2016 CU 23. The CAB file has a size of 150.2 MB.
KB5014261 is available for Exchange Server CU 11. The size of the CAB file is 153.7 MB.
KB5014261 is available for Exchange Server CU 12. The size of the CAB file is 153.7 MB.

Once the security update has been downloaded and installed on the Exchange Server, the server will reboot to complete the update process.

How can I install KB5014261 on Exchange Server?

KB5014261 can be installed through the self-extracting EXE file manually. Automatic installation through Windows Update will involve the installation of the MSP file on the Exchange Server. We take a look at the method that will allow you to install KB5014261 on the Exchange Server manually.

Disable the anti-virus software on Exchange Server.
Open an elevated Command Prompt window (not PowerShell) as an administrator, like this:
Select Start and then enter cmd.
Right-click Command Prompt in the results and select Run as administrator.
If the User Account Control dialog box appears, select Yes and then Next.
At the command prompt, enter the full path to the folder that contains the ‘EXE file’, then press ‘Enter’.
Note: Do not double-click the ‘EXE file’ to run it.
When the installation is complete, re-enable the antivirus software and restart your computer. (The installation program may prompt you to restart.)

Installation logs are stored automatically by the Setup process through the self-extracting EXE update file. The logs will be helpful in working out issues that may be experienced during the deployment phase.

Summary

KB5014261 is applicable to Exchange Servers 2016 (CU22 and CU23) and Exchange Servers 2019 (CU11 and CU12). The security update contains a fix for CVE-2022-21978, a CVSS 8.2 security threat. You can download the patch through the Microsoft Update Catalog or Microsoft Download Center for Exchange Server.

You may also like to read more about the content related to Windows Updates:

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.