Security Updates Exchange 2016-2019 & SE (Feb2026)

Posted on February 11, 2026 by Michel de Rooij

The Exchange product group released the February 2026 Security Updates for Exchange Server SE, Exchange 2019, and Exchange 2016. There were no updates released in January, so if you missed those, you didn’t. The SE SU is available to the public. Security updates for Exchange 2019 and Exchange 2016 will be available to organizations enrolled in the Extended Security Update program.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

Vulnerability	Category	Severity	Rating
CVE-2026-21527	Spoofing	Important	CVSS:3.1 6.5 / 5.7

The Security Updates for each supported Exchange Server build are linked below:

Exchange	SU/HU	Download	Build	KB	Supersedes
Exchange SE	5	Download	15.2.2562.37	KB5074992	KB5071876
Exchange 2019 CU15	7	ESU Program	15.2.1748.43	KB5074993	KB5071875
Exchange 2019 CU14	10	ESU Program	15.2.1544.39	KB5074994	KB5071874
Exchange 2016 CU23	21	ESU Program	15.1.2507.66	KB5074995	KB5071873

Notes

Security updates are Cumulative Update level specific. You cannot apply the Exchange 2019 CU15 update to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft adds the KB article number as a reference, but I would still tag the file name with the CU level for archival purposes, e.g., Exchange2019-CU15-KBxxxxxxx-x64-en.exe.
Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.

On a final note, as with any patch or update, it is recommended that you test it in a test environment before deploying it to production. However, it is not recommended to wait for regular maintenance cycles for security updates; a more agile approach is preferable, and the ratings indicate the level of urgency.

Security Updates Exchange 2016-2019 & SE (Dec2025)

Posted on December 10, 2025 by Michel de Rooij

The Exchange product group released the December 2025 Security Update for Exchange Server SE. Organizations that enrolled in the Extended Security Update program will also have access to December 2025 security updates for Exchange Server 2019 and Exchange Server 2016. These ESU updates will not be made available publicly.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

Vulnerability	Category	Severity	Rating
CVE-2025-64666	Elevation of Privilege	Important	CVSS:3.1 7.5 / 6.5
CVE-2025-64667	Spoofing	Important	CVSS:3.1 5.3 / 4.6

The Security Updates for each supported Exchange Server build are linked below:

Exchange	SU/HU	Download	Build	KB	Supersedes
Exchange SE	4	Download	15.2.2562.29	KB5071876	KB5066366
Exchange 2019 CU15	6	ESU Program	15.2.1748.42	KB5071875	KB5066367
Exchange 2019 CU14	9	ESU Program	15.2.1544.37	KB5071874	KB5066368
Exchange 2016 CU23	20	ESU Program	15.1.2507.63	KB5071873	KB5066369

Fixed Issues

The issue addressed in these hotfixes is:

Skype for Business OWA integration fails after enabling the Dedicated Hybrid Application

Notes

Security updates are Cumulative Update level specific. You cannot apply the Exchange 2019 CU15 update to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft adds the KB article number as a reference, but I would still tag the file name with the CU level for archival purposes, e.g., Exchange2019-CU15-KBxxxxxxx-x64-en.exe.
Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.

On a final note, as with any patch or update, it is recommended that you apply it in a test environment before implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it comes to security updates; a more agile approach is preferable, and the ratings indicate the level of urgency.

Security Updates Exchange 2016-2019 & SE (Oct2025)

Posted on October 14, 2025 by Michel de Rooij

The Exchange product group released the October 2025 Security Updates for Exchange Server SE, Exchange Server 2019, and Exchange Server 2016.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

Vulnerability	Category	Severity	Rating
CVE-2025-59249	Elevation of Privilege	Important	CVSS:3.1 8.8 / 7.7
CVE-2025-53782	Elevation of Privilege	Important	CVSS:3.1 8.4 / 7.3
CVE-2025-59248	Spoofing	Important	CVSS:3.1 7.5 / 6.5

The Security Updates for each supported Exchange Server build are linked below:

Exchange	SU/HU	Download	Build	KB	Supersedes
Exchange SE	3	Download	15.2.2562.29	KB5066366	KB5063224
Exchange 2019 CU15	5	Download	15.2.1748.39	KB5066367	KB5063221
Exchange 2019 CU14	8	Download	15.2.1544.36	KB5066368	KB5063222
Exchange 2016 CU23	19	Download	15.1.2507.61	KB5066369	KB5063223

Last SU for Exchange 2019 and Exchange 2016

These Security Updates are the SUs for Exchange Server 2016 and 2019 that will be publicly available. Any Extended Security Updates (ESU) that might be released between now and April 2026 for these products need to be acquired by contacting your Microsoft Account Teams.

Auth Certificate Export

Be advised that after deploying the October SU, as a security measure, Export-ExchangeCertificate can no longer be used to export of the Auth Certificate. For more information, see KB5069337.

Notes

Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU15 to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft adds the KB article number as a reference, but I would still tag the file name with the CU level for archival purposes, e.g., Exchange2019-CU15-KB5063221-x64-en.exe.
Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.

On a final note, as with any patch or update, it is recommended that you apply it in a test environment before implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it comes to security updates and follow a more agile approach; the ratings indicate the level of urgency.

Hotfix Updates Exchange 2016-SE (Sep2025)

Posted on September 8, 2025 by Michel de Rooij

The Exchange product group released the September 2025 Hotfix Updates for Exchange Server SE, Exchange Server 2019, and Exchange Server 2016.

Hotfix updates do not contain security fixes, but address issues. They also might introduce or add support for functionality changes, such as dedicated Exchange hybrid app support.

Exchange	SU/HU	Download	Build	KB	Supersedes
Exchange SE	2	Download	15.2.2562.27	KB5066373
Exchange 2019 CU15	4	Download	15.2.1748.37	KB5066372	KB5057651
Exchange 2019 CU14	7	Download	15.2.1544.34	KB5066371	KB5057652
Exchange 2016 CU23	18	Download	15.1.2507.59	KB5066370	KB5057653

Changes

The issue addressed in these hotfixes is:

Online archiving fails for on-premises users in hybrid environment

Dedicated Exchange Hybrid Application

A gentle reminder that since the April 2025 security updates, Exchange hybrid supports the dedicated Exchange hybrid app. The dedicated Exchange hybrid app becomes mandatory in October 2025 for continued cross-premises functionality (free/busy, etc.). To make the required changes related to the Graph permissions model, you have some more time, as that will become required in October 2026. For more information, please visit this link.

Do note that Microsoft scheduled some planned disruptions.This is likely in an attempt to nudge those Exchange hybrid customers who have not yet implemented the new dedicated hybrid app. So, if you are running Exchange hybrid with mailboxes on-premises and in Exchange Online, have not deployed the April 2025 SU or later, or did not implement the dedicated Exchange hybrid app, here are some time windows to keep an eye on:

Sep16-18 (7am-7am). Affected regions: WW, GCC, GCC-H, DoD, 21Vianet
Oct7-9 (7am-7am).

Symptoms: Users with mailboxes on-premises might not be able to see free/busy, MailTips or profile pictures from users with a mailbox in Exchange Online. Only EWS functionality is affected, thus things such as migration jobs and mail flow keep functioning.

For more information, keep an eye on the EHLO blog announcements.

Security Updates Exchange 2016-2019 & SE (Aug2025)

Posted on August 12, 2025 by Michel de Rooij

The Exchange product group released the August 2025 Hotfix Updates for Exchange Server SE, Exchange Server 2019, and Exchange Server 2016. The SU for SE comes barely a month after the RTM release of Exchange SE RTM.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

Vulnerability	Category	Severity	Rating
CVE-2025-25005	Tampering	Important	CVSS:3.1 6.5 / 5.7
CVE-2025-25006	Spoofing	Important	CVSS:3.1 5.3 / 4.6
CVE-2025-25007	Spoofing	Important	CVSS:3.1 5.3 / 4.6
CVE-2025-33051	Information Disclosure	Important	CVSS:3.1 7.5 / 6.5

The Security Updates for each supported Exchange Server build are linked below:

Exchange	SU	Download	Build	KB	Supersedes
Exchange SE	1	Download	15.2.2562.20	KB5063224
Exchange 2019 CU15	3	Download	15.2.1748.36	KB5063221	KB5049233
Exchange 2019 CU14	6	Download	15.2.1544.33	KB5063222	KB5049233
Exchange 2016 CU23	17	Download	15.1.2507.58	KB5063223	KB5049233

Feature Changes

The November SUs for Exchange 2019 and Exchange 2016 introduced AMSI integration. AMSI was disabled by default after deploying this SU. Now, with the August 2025 SUs, AMSI body scanning will be enabled for all protocols. Consult the documentation on how to disable AMSI scanning should you encounter any issues.

Fixed Issues

Apart from security fixes and added features, these Security Updates also correct the following issues:

Issue Fixed
Exchange Server fails to export eDiscovery search results to a discovery mailbox
Application pools stop responding and performance is affected after MSIPC is enabled
Incorrect ACE is modified through public folder management in Outlook

Notes

Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU15 to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft adds the KB article number as reference, but I would still tag the file name with the CU level for archival purposes, e.g., Exchange2019-CU15-KB5063221-x64-en.exe.
Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.

On a final note, as with any patch or update, it is recommended that you apply it in a test environment before implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it comes to security updates and follow a more agile approach; the ratings indicate the level of urgency.