Hotfix Updates Exchange 2016-SE (Sep2025)

Posted on September 8, 2025 by Michel de Rooij

The Exchange product group released the September 2025 Hotfix Updates for Exchange Server SE, Exchange Server 2019, and Exchange Server 2016.

Hotfix updates do not contain security fixes, but address issues. They also might introduce or add support for functionality changes, such as dedicated Exchange hybrid app support.

Exchange	SU/HU	Download	Build	KB	Supersedes
Exchange SE	2	Download	15.2.2562.27	KB5066373
Exchange 2019 CU15	4	Download	15.2.1748.37	KB5066372	KB5057651
Exchange 2019 CU14	7	Download	15.2.1544.34	KB5066371	KB5057652
Exchange 2016 CU23	18	Download	15.1.2507.59	KB5066370	KB5057653

Changes

The issue addressed in these hotfixes is:

Online archiving fails for on-premises users in hybrid environment

Dedicated Exchange Hybrid Application

A gentle reminder that since the April 2025 security updates, Exchange hybrid supports the dedicated Exchange hybrid app. The dedicated Exchange hybrid app becomes mandatory in October 2025 for continued cross-premises functionality (free/busy, etc.). To make the required changes related to the Graph permissions model, you have some more time, as that will become required in October 2026. For more information, please visit this link.

Do note that Microsoft scheduled some planned disruptions.This is likely in an attempt to nudge those Exchange hybrid customers who have not yet implemented the new dedicated hybrid app. So, if you are running Exchange hybrid with mailboxes on-premises and in Exchange Online, have not deployed the April 2025 SU or later, or did not implement the dedicated Exchange hybrid app, here are some time windows to keep an eye on:

Sep16-18 (7am-7am). Affected regions: WW, GCC, GCC-H, DoD, 21Vianet
Oct7-9 (7am-7am).

Symptoms: Users with mailboxes on-premises might not be able to see free/busy, MailTips or profile pictures from users with a mailbox in Exchange Online. Only EWS functionality is affected, thus things such as migration jobs and mail flow keep functioning.

For more information, keep an eye on the EHLO blog announcements.

Hotfix Updates Exchange 2016-2019 (May2025)

Posted on May 29, 2025 by Michel de Rooij

The Exchange product group released the May 2025 Hotfix Updates for Exchange Server 2019 and Exchange Server 2016.

Hotfix updates do not contain security fixes, but address issues. They also might introduce or add support for functionality changes, such as dedicated Exchange hybrid app support added in the April hotfixes.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU15	Download	15.2.1748.26	KB5057651	KB5050672
Exchange 2019 CU14	Download	15.2.1544.27	KB5057652	KB5050673
Exchange 2016 CU23	Download	15.1.2507.57	KB5057653	KB5050674

Changes

Issues addressed in these hotfixes are:

Dedicated Exchange Hybrid Application

A gentle reminder that since the April 2025 security updates, Exchange hybrid supports the dedicated Exchange hybrid app. The dedicated Exchange hybrid app becomes mandatory in October 2025 for continued cross-premises functionality (free/busy, a.o.). To make the required changes related to the Graph permissions model you have some more time, as that will become required in October 2026. For more information, please visit this link.

Exchange 0-days: CVE-2022-41040 & CVE-2022-41082

Posted on October 3, 2022 by Michel de Rooij

Update (Oct10, 2022): Updated URL Rewrite Rule (again).

End of last week, the Exchange world was made aware of a 0-day vulnerability and exploit through the following tweet by security researcher Kevin Beaumont. The tweet referenced a write-up by GTSC Cyber Security, which published their discovery on a what looked like a variation on ProxyShell, allowing for Remote code execution. The vulnerabilities have been registered by the Common Vulnerabilities and Exposures program as CVE-2022-41040 (ZDI-CAN-18333 at Zero Day Initiative) and CVE-2022-41082 (ZDI-CAN-18802).

The 0-day impacts current versions of Exchange Server 2019, Exchange Server 2016 as well as Exchange Server 2013 when published externally. If you have Exchange Hybrid deployed only for recipient management or mail-flow (i.e. no inbound traffic for https/443), you should be OK. Similar to ProxyShell, the vulnerability consists of sending manufactured requests to Exchange server, e.g.

Read the full of this article on ENow here.

Update (Oct10): The (original) filter to mitigate the situation, as specified originally by the GTSC as well as various websites, is too specific. The filter can easily be circumvented by – but effectively identical – variations on the manufactured request. The latest rule to filter requests is:

(?=.*autodiscover)(?=.*powershell)

Update any existing mitigation IIS URL Rewrite Rules with this Regular Expressions filter for {UrlDecode:{REQUEST_URI}} blocking (Abort Request) any matching request. When using EEMS, this rule will also be deployed in the most recent update (1.0.9). Microsoft rather silently updated the filter in their published EEMS rules during the weekend.

Microsoft added to their advisory, recommending organizations to disable Remote PowerShell for non-administrators roles (instructions here). For those wanting to hunt for indicators of compromise, check the end of the Security blog.

Vendors are also offering solutions to filter these requests using their network devices:

At the time of writing, Microsoft has not publish a security fix yet.

The Last Exchange Server

Posted on May 5, 2022 by Michel de Rooij

In the announcement of the most recent set of Cumulative Updates for Exchange Server 2019 and 2016, Microsoft introduced some changes – features if you will – as well, which were received with enthusiasm. An overview of these Cumulative Updates and the features introduced was given in an earlier article. In this article however, I would like to zoom in on one of those features, which also happens to be a popular topic among customers running Exchange Hybrid deployments, “The Last Exchange Server”.

Up to Exchange 2019 CU12 (2022 H1), customers that migrated to Exchange Online were still required to leave Exchange-related components running on-premises. Even today, with all the information published around this topic, I am surprised this still surprised customers. This Exchange server running on-premises is to be used for managing recipients which have their source of authority in Active Directory, leveraging Active Directory Connect to propagate objects to Azure Active Directory and thus Exchange Online. Also, when there is a need to relay messages from applications or multi-functional devices, customers often need to have an Exchange server on-premises to accept these messages, as Exchange is the only supported mail relay product for hybrid deployments.

Click here to read the full article on ENow Solutions blog.