I've had one device update to 10.0.19042.508 but everything else is still running on 10.0.19042.450 and is showing no updates available
A nightmare flaw for Exchange Server headlines this month's Patch Tuesday lineup from Microsoft and others. September sees a bundle of 129 CVE-listed flaws patched by Microsoft. The vast majority of those, 105 in total, are classified as 'important' risks. Another 23 are considered critical bugs, and one is listed as moderate …
I am always curious about the history of a security bug. Was it introduced years ago, was it in new code, when did it get caught, had it been modified, reviewed (and by whom), did it get caught by static code analyzers, and, finally, the expertise of the implementors.
I wonder anyone who analyzes MS binaries for a living (or as a hobby) can trace back the evolutionary path of the bug. I doubt MS will come forward with real data but aggregate data would help.
Unless you are running a supported CU you won't get any security updates even if the product is affected. These are the last CU for versions in Extended support (CU 23 for Exchange 2013) or the current or current -1 for versions in mainstream support (16 and 17 for Exchange 2016, 5 and 6 for 2019).
Short answer, yes you are probably vulnerable and will need to update to a supported CU then apply the hotfix. They only list supported CUs on the CVE.
Also, 2016 goes into extended support in October. The last planned CU for 2016 will be released in December. This will be the only supported CU from that point.
One other point, if you are planning on upgrading your CU, probably best to wait until next week. If they keep the usual release cadence, then the next CU for 2016/2019 should be released on Tuesday. At this point 17 and 18 will be the supported CUs for 2016, 6 and 7 for 2019.
If upgrading from an old CU, then you need to ensure you have the correct .NET versions as well. Check out the support matrix here.
Make sure you read the release notes, especially if moving from a really old CU as there may be AD and schema updates or pre-req changes.
""That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers," Childs explained."
That rather depends on what the malicious code does once it runs, doesn't it? Apparently there's nothing to stop it downloading a worm with network privilege escalation.