Security Updates Exchange 2016-SE (Jul2026)

The Exchange product group released the July 2026 updates for Exchange Server SE, as well as Exchange 2019 and 2016. The Security Update for Exchange SE is available to the public. Security updates for Exchange 2019 and Exchange 2016 are available to organizations enrolled in the Extended Security Update Period 2 program.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2026-55005Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7
CVE-2026-55006Elevation of PrivilegeImportantCVSS:3.1 7.8 / 6.8
CVE-2026-55008SpoofingCriticalCVSS:3.1 9.6 / 8.3
CVE-2026-55009Elevation of PrivilegeImportantCVSS:3.1 7.8 / 6.8

The Security Updates for each supported Exchange Server build are linked below:

ExchangeSU/HUDownloadBuildKBSupersedes
Exchange SE8Download15.2.2562.45KB5103212KB5094139
Exchange 2019 CU159ESU Period 215.2.1748.48KB5103213KB5094140
Exchange 2019 CU1412ESU Period 215.2.1544.43KB5103214KB5094142
Exchange 2016 CU2323ESU Period 215.1.2507.71KB5103215KB5094144

Known Issue

Be aware of the following issue after installing these SU:

CVE-2026-42897

As a reminder, you may remove implemented mitigations for CVE-2026-42897. These mitigations could be deployed using Exchange Emergency Mitigation Service (EMS), or manually using the EOMT.ps1 script. If you used EMS, block the mitigation (M2.1.0) from re-applying, then remove its IIS rules. If you used the EOMT.ps1 script, use it to roll back the mitigation.

Notes

  • Security updates are specific to the Cumulative Update level. You cannot apply the Exchange 2019 CU15 security update to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft includes the KB article number as a reference, but I would still tag the filename with the CU level for archival purposes, e.g., Exchange2019-CU15-KBxxxxxxx-x64-en.exe.
  • Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.

On a final note, as with any patch or update, it is recommended that you test it in a test environment before deploying it to production. However, it is not recommended to wait for regular maintenance cycles for security updates; a more agile approach is preferable, and the ratings indicate the urgency level.

This entry was posted in Exchange Server and tagged , , by Michel de Rooij. Bookmark the permalink.
Unknown's avatar

About Michel de Rooij

Michel de Rooij, with over 25 years of mixed consulting and automation experience with Exchange and related technologies, is a consultant for Rapid Circle. He assists organizations in their journey to and using Microsoft 365, primarily focusing on Exchange and associated technologies and automating processes using PowerShell or Graph. Michel's authorship of several Exchange books and role in the Office 365 for IT Pros author team are a testament to his knowledge. Besides writing for Practical365.com, he maintains a blog on eightwone.com with supporting scripts on GitHub. Michel has been a Microsoft MVP since 2013.

Leave a Reply