#Microsoft Exchange Server

**According to the CVSS metric, privileges required is low (PR:L). Does the attacker need to be in an authenticated role on the Exchange Server?** Yes, the attacker must be authenticated.

**Are there any more actions I need to take to be protected from this vulnerability?** Yes. Customers vulnerable to this issue would need to enable Extended Protection in order to prevent this attack. For more information, see Exchange Server Support for Windows Extended Protection **Is there more information available about this release of Exchange Server?** For more information on this issue, please see The Exchange Blog.

**Are there any more actions I need to take to be protected from this vulnerability?** Yes. Customers vulnerable to this issue would need to enable Extended Protection in order to prevent this attack. For more information, see Exchange Server Support for Windows Extended Protection **Is there more information available about this release of Exchange Server?** For more information on this issue, please see The Exchange Blog.

**Are there any more actions I need to take to be protected from this vulnerability?** Yes. Customers vulnerable to this issue would need to enable Extended Protection in order to prevent this attack. For more information, see Exchange Server Support for Windows Extended Protection **Is there more information available about this release of Exchange Server?** For more information on this issue, please see The Exchange Blog.

**Are there any more actions I need to take to be protected from this vulnerability?** Yes. Customers vulnerable to this issue would need to enable Extended Protection in order to prevent this attack. For more information, see Exchange Server Support for Windows Extended Protection **Is there more information available about this release of Exchange Server?** For more information on this issue, please see The Exchange Blog.

**Are there any more actions I need to take to be protected from this vulnerability?** Yes. Customers vulnerable to this issue would need to enable Extended Protection in order to prevent this attack. For more information, see Exchange Server Support for Windows Extended Protection **Is there more information available about this release of Exchange Server?** For more information on this issue, please see The Exchange Blog.

**Are there any more actions I need to take to be protected from this vulnerability?** Yes. Customers vulnerable to this issue would need to enable Extended Protection in order to prevent this attack. For more information, see Exchange Server Support for Windows Extended Protection **Is there more information available about this release of Exchange Server?** For more information on this issue, please see The Exchange Blog.

 **Do I need to take further steps to be protected from this vulnerability?** Because of additional security hardening work for CVE-2022-21978, the following actions should be taken in addition to application of May 2022 security updates: For customers that have Exchange Server 2016 CU22 or CU23, or Exchange Server 2019 CU11 or CU12 installed Install the May 2022 SU first and then run one of the following commands using Setup.exe in your Exchange Server installation path (e.g., …\\Program Files\\Microsoft\\Exchange Server\\v15\\Bin): * Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAllDomains * Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAllDomains For customers that have Exchange Server 2013 CU23 installed: Install the May 2022 SU first and then run the following command using Setup.exe in your Exchange Server installation path (e.g., …\\Program Files\\Microsoft\\Exchange Server\\v15\\Bin): * Setup.exe /IAcceptEx...

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is file content.

**Does the attacker need to be in an authenticated role in the Exchange Server?** Yes, the attacker must be authenticated.