Exchange Admins don’t always like patching and they say, well it’s working so why fix something that ain’t broken.
Well, if you are on a CU earlier than CU15, you should really consider upgrading.
CU14 and CU15 have a number of fixes in them but not only that, you need to apply the security patches after you upgrade to CU15 on Exchange 2016 and CU4 on Exchange 2019.
The first patch is this one, here is a description:
A cross-site-scripting (XSS) vulnerability exists when Microsoft Exchange Server does not properly sanitize a specially crafted web request to an affected Exchange server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected server.
The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim’s identity to take actions on the Exchange server on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.
The security update addresses the vulnerability by helping to ensure that Exchange Server properly sanitizes web requests.
The second one is, here is a brief description:
A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. An attacker could then install programs; view, change, or delete data; or create new accounts.
Please upgrade to avoid getting your servers exploited.
Hope it helps.