Security Updates Exchange 2016-2019 & SE (Aug2025)

Posted on by

The Exchange product group released the August 2025 Hotfix Updates for Exchange Server SE, Exchange Server 2019, and Exchange Server 2016. The SU for SE comes barely a month after the RTM release of Exchange SE RTM.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2025-25005TamperingImportantCVSS:3.1 6.5 / 5.7
CVE-2025-25006SpoofingImportantCVSS:3.1 5.3 / 4.6
CVE-2025-25007SpoofingImportantCVSS:3.1 5.3 / 4.6
CVE-2025-33051Information DisclosureImportantCVSS:3.1 7.5 / 6.5

The Security Updates for each supported Exchange Server build are linked below:

ExchangeSUDownloadBuildKBSupersedes
Exchange SE1Download15.2.2562.20KB5063224
Exchange 2019 CU153Download15.2.1748.36KB5063221KB5049233
Exchange 2019 CU146Download15.2.1544.33KB5063222KB5049233
Exchange 2016 CU2317Download15.1.2507.58KB5063223KB5049233

Feature Changes

The November SUs for Exchange 2019 and Exchange 2016 introduced AMSI integration. AMSI was disabled by default after deploying this SU. Now, with the August 2025 SUs, AMSI body scanning will be enabled for all protocols. Consult the documentation on how to disable AMSI scanning should you encounter any issues.

Fixed Issues

Apart from security fixes and added features, these Security Updates also correct the following issues:

Issue Fixed
Exchange Server fails to export eDiscovery search results to a discovery mailbox
Application pools stop responding and performance is affected after MSIPC is enabled
Incorrect ACE is modified through public folder management in Outlook​​​​​​​​​​​​​​

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU15 to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft adds the KB article number as reference, but I would still tag the file name with the CU level for archival purposes, e.g., Exchange2019-CU15-KB5063221-x64-en.exe.
  • Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.

On a final note, as with any patch or update, it is recommended that you apply it in a test environment before implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it comes to security updates and follow a more agile approach; the ratings indicate the level of urgency.

This entry was posted in Exchange Server and tagged , , , , by Michel de Rooij. Bookmark the permalink.
Unknown's avatar

About Michel de Rooij

Michel de Rooij, with over 25 years of mixed consulting and automation experience with Exchange and related technologies, is a consultant for Rapid Circle. He assists organizations in their journey to and using Microsoft 365, primarily focusing on Exchange and associated technologies and automating processes using PowerShell or Graph. Michel's authorship of several Exchange books and role in the Office 365 for IT Pros author team are a testament to his knowledge. Besides writing for Practical365.com, he maintains a blog on eightwone.com with supporting scripts on GitHub. Michel has been a Microsoft MVP since 2013.

Leave a comment