On October 13, 2020 Microsoft released a security update for Exchange 2013, Exchange 2016 and Exchange 2019 that addresses the Microsoft Exchange information Disclosure Vulnerability as discussed in CVE-2020-16969 | Microsoft Exchange Information Disclosure Vulnerability
An information disclosure vulnerability exists in how Microsoft Exchange validates tokens when handling certain messages. An attacker who successfully exploited the vulnerability could use this to gain further information from a user.
To exploit the vulnerability, an attacker could include specially crafted OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems.
The security update corrects the way that Exchange handles these token validations.
Please be aware that the updates are CU specific. The fact that an update for Exchange 2013 is released indicates the importance of this Security Update.
When installing, start the Security Update from an elevated command prompt (Run As Administrator) and as always, test the security update thoroughly.
| Product | KB Article | Download |
| Microsoft Exchange Server 2013 Cumulative Update 23 | KB4581424 | Security Update |
| Microsoft Exchange Server 2016 Cumulative Update 17 | KB4581424 | Security Update |
| Microsoft Exchange Server 2016 Cumulative Update 18 | KB4581424 | Security Update |
| Microsoft Exchange Server 2019 Cumulative Update 6 | KB4581424 | Security Update |
| Microsoft Exchange Server 2019 Cumulative Update 7 | KB4581424 | Security Update |
Jaap Wesselius 