The Exchange product group released the June 2026 Security Updates for Exchange Server SE, Exchange 2019, and Exchange 2016. There were no updates released in January, so if you missed those, you didn’t. The SE SU is available to the public. Security updates for Exchange 2019 and Exchange 2016 will be available to organizations enrolled in the Extended Security Update program.
The vulnerabilities addressed in these Security Updates for Exchange Server are:
| Vulnerability | Category | Severity | Rating |
|---|---|---|---|
| CVE-2026-42897 | Information Disclosure | Critical | CVSS:3.1 8.1 / 7.5 |
| CVE-2026-47631 | Spoofing | Important | CVSS:3.1 8.1 / 7.1 |
| CVE-2026-45583 | Remote Code Execution | Important | CVSS:3.1 7.5 / 6.5 |
| CVE-2026-45504 | Elevation of Privilege | Important | CVSS:3.1 8.8 / 7.7 |
| CVE-2026-45503 | Information Disclosure | Important | CVSS:3.1 8.1 / 7.1 |
| CVE-2026-45502 | Information Disclosure | Important | CVSS:3.1 5.0 / 4.4 |
| CVE-2026-45501 | Spoofing | Important | CVSS:3.1 6.5 / 5.7 |
| CVE-2026-45500 | Spoofing | Important | CVSS:3.1 6.1 / 5.3 |
The Security Updates for each supported Exchange Server build are linked below:
| Exchange | SU/HU | Download | Build | KB | Supersedes |
|---|---|---|---|---|---|
| Exchange SE | 7 | Download | 15.2.2562.43 | KB5094139 | KB5074992 |
| Exchange 2019 CU15 | 8 | ESU Period 2 | 15.2.1748.46 | KB5094140 | KB5074993 |
| Exchange 2019 CU14 | 11 | ESU Period 2 | 15.2.1544.41 | KB5094142 | KB5074994 |
| Exchange 2016 CU23 | 22 | ESU Period 2 | 15.1.2507.69 | KB5094144 | KB5074995 |
CVE-2026-42897
Be advised that these Security Updates do not remove any previously applied mitigations for CVE-2026-42897, whether through the EMS service (M2.1.0) or via manual configuration using the EOMT.ps1 script. More information about both options is described here. The recommendation is to keep mitigation in place. If you still wish to remove them, be advised that you need to take steps to prevent the mitigation from getting reapplied. These steps are also contained in the aforementioned article.
Fixed Issues
Other issues fixed in this update:
Emergency Mitigations & Flighting Service
Because of a server-side change, Exchange Server not patched with this June 2026 SU will stop processing emergency mitigations published after June 2026. As a result, their Emergency Mitigation Service (EMS) and Flighting Service cannot process any updates, and the Application event log will contain the following entries:
Event type: Error
Event ID: 1008
Event source: MSExchange Mitigation Service
Exception encountered while fetching mitigations: This XML is not deemed safe to consume since Response xml’s leaf certificate is from unknown issuer or has EKU mismatch
Any previously applied mitigations will continue to function.
Notes
- Security updates are specific to the Cumulative Update level. You cannot apply the Exchange 2019 CU15 security update to Exchange 2019 CU14. When downloading, the security update might carry the same name for different Cumulative Updates. Nowadays, Microsoft includes the KB article number as a reference, but I would still tag the filename with the CU level for archival purposes, e.g., Exchange2019-CU15-KBxxxxxxx-x64-en.exe.
- Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
- Suppose you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management. In that case, it is recommended that you apply the Security Update.
On a final note, as with any patch or update, it is recommended that you test it in a test environment before deploying it to production. However, it is not recommended to wait for regular maintenance cycles for security updates; a more agile approach is preferable, and the ratings indicate the urgency level.