Microsoft released a security update designed to patch remote code execution (RCE) and information disclosure vulnerabilities in its Microsoft Exchange Server 2019, 2016, and 2013 products. The RCE security issue is being tracked as CVE-2019-0586 and according to Microsoft's advisory it exists because "the software fails to properly handle objects in memory." Attackers can run code as System user Following a successful attack of a vulnerable Microsoft Exchange Server installations, potential attackers would be able to take advantage of System user permissions. In order to exploit the CVE-2019-0586 vulnerability, attackers have to send maliciously crafter emails to a vulnerable Exchange server. The issue has been addressed by changing the way Microsoft Exchange handles objects in memory. The information disclosure Microsoft Exchange Server vulnerability was assigned the CVE-2019-0588 tracking id and it is caused by the way Microsoft Exchange's "PowerShell API grants calendar contributors more view permissions than intended."