KB5000871 installation on Exchange 2016 CU9

Question

We run Hybrid Exchange server linked to O365 for email. It currently has Exchange 2016 CU9 installed. If I download the CU9 security patch for the current Exchange vulnerability KB5000871, can I just install this patch for now to fix security issue and update CU to higher later and reinstall security update? As I understand if you install the SU KB5000871 and are not on latest version of CU you will have to reinstall the SU again if you update to later version of Exchange. This is fine if we have to reinstall security update as right now we need to hold off on updating our Hybrid Exchange box CU to later version.

Can someone let me know if it's ok to install this SU on my existing Exchange version 2016 CU9?

Thank you!

Answer 1

Yes, absolutely!
Install the patch immediately to block the exploit.
then test to see if you are compromised:

https://github.com/microsoft/CSS-Exchange/tree/main/Security

Then once you have things settled down, go straight to CU20 which has the security patch included in it:
https://support.microsoft.com/en-us/topic/cumulative-update-20-for-exchange-server-2016-98964463-f7df-4131-6b8c-4f46dafc748e

Answer 2

@Andy David - MVP Thank you so much for the fast reply! I will reboot the server 1st and then run command line as admin and run msp file via recommended method. Hopefully I don't run into any issues. It's Hybrid server so it's just relaying mail really. Seems fairly straight forward. Will be taking a backup of server before hand just incase. However, if anything is horribly bad, I will just uninstall patch and try again. Or roll back to previous server backup.

Then once installed I will run the EOMT.PS1 post install pending all is well.

Am I missing anything?

Thank you very much!