STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide

V-259711

CAT II (Medium)

Exchange must have the most current, approved Cumulative Update installed.

Rule ID

SV-259711r961683_rule

STIG

Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-002605

Discussion

Failure to install the most current Exchange Cumulative Update (CU) leaves a system vulnerable to exploitation. Current CUs correct known security and system vulnerabilities.

Check Content

Determine the most current, approved service pack.

Open the Exchange Management Shell and enter the following command:

Get-ExchangeServer | Select-Object -Property Name, AdminDisplayVersion |Format-List

If the value of "AdminDisplayVersion" does not return the most current, approved Cumulative Update (CU), this is a finding.

Fix Text

Consult the EDSP for the accepted update process within the organization.

Install the most current, approved CU. Microsoft recommends as a best practice to always install the latest CU when creating a new server. Existing servers keep as up-to-date as possible and backup any customizations. Follow any additional recommendations by going to the following website:
https://learn.microsoft.com/en-us/Exchange/plan-and-deploy/install-cumulative-updates?view=exchserver-2019

All Exchange 2019 updates can be found on the Microsoft Exchange update site:
https://learn.microsoft.com/en-us/Exchange/new-features/updates?view=exchserver-2019

Exchange CUs must be manually downloaded. Since CUs are full installations of Exchange, there is no need to install the "Release to Manufacturer" version first. However, once installed, it cannot be uninstalled. Installation must be done on a test server first before placing in production to ensure that it does not disrupt services or conflict with existing configurations.

Note: Some CUs will require an Active Directory Schema extension, which adds new Exchange attributes. Consult the EDSP and ensure appropriate permissions before beginning an update.

Note: Security updates (SUs) can be downloaded and triggered through Windows Updates by going to Windows Update >>Advanced Options >> "Choose how updates are installed" and select the box "Give me updates for other Microsoft products when I update Windows" if the Exchange server is connected to the web or internal Windows Update Services.