Category Archives: Exchange Server

Security Updates Exchange 2016-2019 & SE (Dec2025)

Posted on by
2

The Exchange product group released the December 2025 Security Update for Exchange Server SE. Organizations that enrolled in the Extended Security Update program will also have access to December 2025 security updates for Exchange Server 2019 and Exchange Server 2016. These ESU updates will not be made available publicly.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2025-64666Elevation of PrivilegeImportantCVSS:3.1 7.5 / 6.5
CVE-2025-64667SpoofingImportantCVSS:3.1 5.3 / 4.6

The Security Updates for each supported Exchange Server build are linked below:

ExchangeSU/HUDownloadBuildKBSupersedes
Exchange SE4Download15.2.2562.29KB5071876KB5066366
Exchange 2019 CU156ESU Program15.2.1748.42KB5071875KB5066367
Exchange 2019 CU149ESU Program15.2.1544.37KB5071874KB5066368
Exchange 2016 CU2320ESU Program15.1.2507.63KB5071873KB5066369

Fixed Issues

The issue addressed in these hotfixes is:

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the Exchange 2019 CU15 update to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft adds the KB article number as a reference, but I would still tag the file name with the CU level for archival purposes, e.g., Exchange2019-CU15-KBxxxxxxx-x64-en.exe.
  • Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.

On a final note, as with any patch or update, it is recommended that you apply it in a test environment before implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it comes to security updates; a more agile approach is preferable, and the ratings indicate the level of urgency.

Security Updates Exchange 2016-2019 & SE (Oct2025)

Posted on by
Reply

The Exchange product group released the October 2025 Security Updates for Exchange Server SE, Exchange Server 2019, and Exchange Server 2016.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
​​​​​​​​​​​​​​CVE-2025-59249Elevation of PrivilegeImportantCVSS:3.1 8.8 / 7.7
CVE-2025-53782Elevation of PrivilegeImportantCVSS:3.1 8.4 / 7.3
CVE-2025-59248SpoofingImportantCVSS:3.1 7.5 / 6.5

The Security Updates for each supported Exchange Server build are linked below:

ExchangeSU/HUDownloadBuildKBSupersedes
Exchange SE3Download15.2.2562.29KB5066366KB5063224
Exchange 2019 CU155Download15.2.1748.39KB5066367KB5063221
Exchange 2019 CU148Download15.2.1544.36KB5066368KB5063222
Exchange 2016 CU2319Download15.1.2507.61KB5066369KB5063223

Last SU for Exchange 2019 and Exchange 2016

These Security Updates are the SUs for Exchange Server 2016 and 2019 that will be publicly available. Any Extended Security Updates (ESU) that might be released between now and April 2026 for these products need to be acquired by contacting your Microsoft Account Teams.

Auth Certificate Export

Be advised that after deploying the October SU, as a security measure, Export-ExchangeCertificate can no longer be used to export of the Auth Certificate. For more information, see KB5069337.

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU15 to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft adds the KB article number as a reference, but I would still tag the file name with the CU level for archival purposes, e.g., Exchange2019-CU15-KB5063221-x64-en.exe.
  • Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.

On a final note, as with any patch or update, it is recommended that you apply it in a test environment before implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it comes to security updates and follow a more agile approach; the ratings indicate the level of urgency.

Hotfix Updates Exchange 2016-SE (Sep2025)

Posted on by
Reply

The Exchange product group released the September 2025 Hotfix Updates for Exchange Server SE, Exchange Server 2019, and Exchange Server 2016.

Hotfix updates do not contain security fixes, but address issues. They also might introduce or add support for functionality changes, such as dedicated Exchange hybrid app support.

ExchangeSU/HUDownloadBuildKBSupersedes
Exchange SE2Download15.2.2562.27KB5066373
Exchange 2019 CU154Download15.2.1748.37KB5066372KB5057651
Exchange 2019 CU147Download15.2.1544.34KB5066371KB5057652
Exchange 2016 CU2318Download15.1.2507.59KB5066370KB5057653

Changes

The issue addressed in these hotfixes is:

Dedicated Exchange Hybrid Application

A gentle reminder that since the April 2025 security updates, Exchange hybrid supports the dedicated Exchange hybrid app. The dedicated Exchange hybrid app becomes mandatory in October 2025 for continued cross-premises functionality (free/busy, etc.). To make the required changes related to the Graph permissions model, you have some more time, as that will become required in October 2026. For more information, please visit this link.

Do note that Microsoft scheduled some planned disruptions.This is likely in an attempt to nudge those Exchange hybrid customers who have not yet implemented the new dedicated hybrid app. So, if you are running Exchange hybrid with mailboxes on-premises and in Exchange Online, have not deployed the April 2025 SU or later, or did not implement the dedicated Exchange hybrid app, here are some time windows to keep an eye on:

  • Sep16-18 (7am-7am). Affected regions: WW, GCC, GCC-H, DoD, 21Vianet
  • Oct7-9 (7am-7am).

Symptoms: Users with mailboxes on-premises might not be able to see free/busy, MailTips or profile pictures from users with a mailbox in Exchange Online. Only EWS functionality is affected, thus things such as migration jobs and mail flow keep functioning.

For more information, keep an eye on the EHLO blog announcements.

Security Updates Exchange 2016-2019 & SE (Aug2025)

Posted on by
Reply

The Exchange product group released the August 2025 Hotfix Updates for Exchange Server SE, Exchange Server 2019, and Exchange Server 2016. The SU for SE comes barely a month after the RTM release of Exchange SE RTM.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2025-25005TamperingImportantCVSS:3.1 6.5 / 5.7
CVE-2025-25006SpoofingImportantCVSS:3.1 5.3 / 4.6
CVE-2025-25007SpoofingImportantCVSS:3.1 5.3 / 4.6
CVE-2025-33051Information DisclosureImportantCVSS:3.1 7.5 / 6.5

The Security Updates for each supported Exchange Server build are linked below:

ExchangeSUDownloadBuildKBSupersedes
Exchange SE1Download15.2.2562.20KB5063224
Exchange 2019 CU153Download15.2.1748.36KB5063221KB5049233
Exchange 2019 CU146Download15.2.1544.33KB5063222KB5049233
Exchange 2016 CU2317Download15.1.2507.58KB5063223KB5049233

Feature Changes

The November SUs for Exchange 2019 and Exchange 2016 introduced AMSI integration. AMSI was disabled by default after deploying this SU. Now, with the August 2025 SUs, AMSI body scanning will be enabled for all protocols. Consult the documentation on how to disable AMSI scanning should you encounter any issues.

Fixed Issues

Apart from security fixes and added features, these Security Updates also correct the following issues:

Issue Fixed
Exchange Server fails to export eDiscovery search results to a discovery mailbox
Application pools stop responding and performance is affected after MSIPC is enabled
Incorrect ACE is modified through public folder management in Outlook​​​​​​​​​​​​​​

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU15 to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft adds the KB article number as reference, but I would still tag the file name with the CU level for archival purposes, e.g., Exchange2019-CU15-KB5063221-x64-en.exe.
  • Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.

On a final note, as with any patch or update, it is recommended that you apply it in a test environment before implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it comes to security updates and follow a more agile approach; the ratings indicate the level of urgency.

Exchange 2016 & 2019 ESU

Posted on by
Reply

In a somewhat surprising move yesterday, Microsoft announced there will be an Extended Security Update program for Exchange Server 2016 and Exchange Server 2019. The ESU is to cater to organizations that indicate they need some more time to move away from Exchange 2016/2019. I will not comment on the fact that these organizations had a few years to get current on Exchange 2019, which would lead them to having a smooth upgrade path now to Exchange SE, or even move to Exchange Online.

Extended Security Update

You might already be familiar with ESU programs, which are common for Windows clients and Windows Server, a.o. That said, Exchange also had its share of post-lifecycle (out-of-band) updates, such as the Hafnium security updates for Exchange 2013 and even Exchange 2010. These updates were developed and made available without any obligation as some of the updates applied to products that were past their end-of-support date.

Now, the ESU program for Exchange 2016/2019 is an official extension to keep receiving published security updates for Exchange 2016/2019. To receive these, organizations can purchase a 6-month ESU for their Exchange servers. For this, they need to contact their Microsoft account manager starting August 1st, 2025. Do note that there is no guarantee that, within this period, security updates will get published, as this is entirely driven by circumstances and urgency, of course.

To make it clear: The ESU program is not an extension of support. You cannot contact support for any incident with Exchange 2016/2019 in the ESU period. That is, unless it relates to an SU that gets published during the ESU period. Thus, ESU is more for peace of mind when it comes to security, when you can live without expecting support.

The ESU period ends April 14th, 2026, 6 months after Exchange 2016 and Exchange 2019 go out of support. It is possible to get ESU after August 1st and during the 6-month ESU window. This flexibility may lead to organizations taking a gamble, waiting for SU to appear, only to get ESU when the first SU arrives. Given that corporate purchasing processes might take some time and CUs usually come with some urgency to implement, this is not something I would recommend.

I would also not recommend seeing this ESU window as an opportunity to take it easy. The support date stands, which is what most organizations find most important. So, keep migrating, whether to Exchange SE directly or via Exchange 2019 CU15, or to Exchange Online.

Skype for Business

Skype for Business is iņ the same boat regarding lifecycle, and also has a similar ESU program. For more information, click here.