Security Updates Exchange 2016-2019 & SE (Dec2025)

Posted on by

The Exchange product group released the December 2025 Security Update for Exchange Server SE. Organizations that enrolled in the Extended Security Update program will also have access to December 2025 security updates for Exchange Server 2019 and Exchange Server 2016. These ESU updates will not be made available publicly.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2025-64666Elevation of PrivilegeImportantCVSS:3.1 7.5 / 6.5
CVE-2025-64667SpoofingImportantCVSS:3.1 5.3 / 4.6

The Security Updates for each supported Exchange Server build are linked below:

ExchangeSU/HUDownloadBuildKBSupersedes
Exchange SE4Download15.2.2562.29KB5071876KB5066366
Exchange 2019 CU156ESU Program15.2.1748.42KB5071875KB5066367
Exchange 2019 CU149ESU Program15.2.1544.37KB5071874KB5066368
Exchange 2016 CU2320ESU Program15.1.2507.63KB5071873KB5066369

Fixed Issues

The issue addressed in these hotfixes is:

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the Exchange 2019 CU15 update to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft adds the KB article number as a reference, but I would still tag the file name with the CU level for archival purposes, e.g., Exchange2019-CU15-KBxxxxxxx-x64-en.exe.
  • Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.

On a final note, as with any patch or update, it is recommended that you apply it in a test environment before implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it comes to security updates; a more agile approach is preferable, and the ratings indicate the level of urgency.

This entry was posted in Exchange Server and tagged , , , , , by Michel de Rooij. Bookmark the permalink.
Unknown's avatar

About Michel de Rooij

Michel de Rooij, with over 25 years of mixed consulting and automation experience with Exchange and related technologies, is a consultant for Rapid Circle. He assists organizations in their journey to and using Microsoft 365, primarily focusing on Exchange and associated technologies and automating processes using PowerShell or Graph. Michel's authorship of several Exchange books and role in the Office 365 for IT Pros author team are a testament to his knowledge. Besides writing for Practical365.com, he maintains a blog on eightwone.com with supporting scripts on GitHub. Michel has been a Microsoft MVP since 2013.

2 thoughts on “Security Updates Exchange 2016-2019 & SE (Dec2025)

Leave a reply to Michel de Rooij Cancel reply