The Exchange product group released the July 2026 updates for Exchange Server SE, as well as Exchange 2019 and 2016. The Security Update for Exchange SE is available to the public. Security updates for Exchange 2019 and Exchange 2016 are available to organizations enrolled in the Extended Security Update Period 2 program.
The vulnerabilities addressed in these Security Updates for Exchange Server are:
| Vulnerability | Category | Severity | Rating |
|---|---|---|---|
| CVE-2026-55005 | Remote Code Execution | Important | CVSS:3.1 8.8 / 7.7 |
| CVE-2026-55006 | Elevation of Privilege | Important | CVSS:3.1 7.8 / 6.8 |
| CVE-2026-55008 | Spoofing | Critical | CVSS:3.1 9.6 / 8.3 |
| CVE-2026-55009 | Elevation of Privilege | Important | CVSS:3.1 7.8 / 6.8 |
The Security Updates for each supported Exchange Server build are linked below:
| Exchange | SU/HU | Download | Build | KB | Supersedes |
|---|---|---|---|---|---|
| Exchange SE | 8 | Download | 15.2.2562.45 | KB5103212 | KB5094139 |
| Exchange 2019 CU15 | 9 | ESU Period 2 | 15.2.1748.48 | KB5103213 | KB5094140 |
| Exchange 2019 CU14 | 12 | ESU Period 2 | 15.2.1544.43 | KB5103214 | KB5094142 |
| Exchange 2016 CU23 | 23 | ESU Period 2 | 15.1.2507.71 | KB5103215 | KB5094144 |
Known Issue
Be aware of the following issue after installing these SU:
CVE-2026-42897
As a reminder, you may remove implemented mitigations for CVE-2026-42897. These mitigations could be deployed using Exchange Emergency Mitigation Service (EMS), or manually using the EOMT.ps1 script. If you used EMS, block the mitigation (M2.1.0) from re-applying, then remove its IIS rules. If you used the EOMT.ps1 script, use it to roll back the mitigation.
Notes
- Security updates are specific to the Cumulative Update level. You cannot apply the Exchange 2019 CU15 security update to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft includes the KB article number as a reference, but I would still tag the filename with the CU level for archival purposes, e.g., Exchange2019-CU15-KBxxxxxxx-x64-en.exe.
- Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
- Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.
On a final note, as with any patch or update, it is recommended that you test it in a test environment before deploying it to production. However, it is not recommended to wait for regular maintenance cycles for security updates; a more agile approach is preferable, and the ratings indicate the urgency level.

You must be logged in to post a comment.