Security Updates Exchange 2016-2019 & SE (Oct2025)

Posted on by

The Exchange product group released the October 2025 Security Updates for Exchange Server SE, Exchange Server 2019, and Exchange Server 2016.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
​​​​​​​​​​​​​​CVE-2025-59249Elevation of PrivilegeImportantCVSS:3.1 8.8 / 7.7
CVE-2025-53782Elevation of PrivilegeImportantCVSS:3.1 8.4 / 7.3
CVE-2025-59248SpoofingImportantCVSS:3.1 7.5 / 6.5

The Security Updates for each supported Exchange Server build are linked below:

ExchangeSU/HUDownloadBuildKBSupersedes
Exchange SE3Download15.2.2562.29KB5066366KB5063224
Exchange 2019 CU155Download15.2.1748.39KB5066367KB5063221
Exchange 2019 CU148Download15.2.1544.36KB5066368KB5063222
Exchange 2016 CU2319Download15.1.2507.61KB5066369KB5063223

Last SU for Exchange 2019 and Exchange 2016

These Security Updates are the SUs for Exchange Server 2016 and 2019 that will be publicly available. Any Extended Security Updates (ESU) that might be released between now and April 2026 for these products need to be acquired by contacting your Microsoft Account Teams.

Auth Certificate Export

Be advised that after deploying the October SU, as a security measure, Export-ExchangeCertificate can no longer be used to export of the Auth Certificate. For more information, see KB5069337.

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU15 to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft adds the KB article number as a reference, but I would still tag the file name with the CU level for archival purposes, e.g., Exchange2019-CU15-KB5063221-x64-en.exe.
  • Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.

On a final note, as with any patch or update, it is recommended that you apply it in a test environment before implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it comes to security updates and follow a more agile approach; the ratings indicate the level of urgency.

This entry was posted in Exchange Server and tagged , , , , by Michel de Rooij. Bookmark the permalink.
Unknown's avatar

About Michel de Rooij

Michel de Rooij, with over 25 years of mixed consulting and automation experience with Exchange and related technologies, is a consultant for Rapid Circle. He assists organizations in their journey to and using Microsoft 365, primarily focusing on Exchange and associated technologies and automating processes using PowerShell or Graph. Michel's authorship of several Exchange books and role in the Office 365 for IT Pros author team are a testament to his knowledge. Besides writing for Practical365.com, he maintains a blog on eightwone.com with supporting scripts on GitHub. Michel has been a Microsoft MVP since 2013.

Leave a comment