NOTE: Our partners in documentation publishing notified us of an issue that is causing documentation on learn.microsoft.com domain to not show latest documentation version. The issue is being worked on.

Microsoft has released Security Updates (SUs) for vulnerabilities found in:

• Exchange Server Subscription Edition (SE)
• Exchange Server 2019
• Exchange Server 2016

SUs are available for the following specific versions of Exchange Server:

• Exchange SE RTM
• Exchange Server 2019 CU14 and CU15 (to access, organization must be enrolled into the Period 2 ESU program)
• Exchange Server 2016 CU23 (to access, organization must be enrolled into the Period 2 ESU program)

The June 2026 SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes as well as CVE-2026-42897 that we announced: Addressing Exchange Server May 2026 vulnerability CVE-2026-42897 | Microsoft Community Hub.

These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed by these SUs and do not need to take any action other than updating any Exchange servers or Exchange Management tools workstations in their environment.

More details about specific CVEs can be found in the Security Update Guide (filter on ‘Server Software’ under Product Family for Exchange SE and ‘ESU’ under Product Family for Exchange 2016 and 2019).

Update to ensure continued function of Exchange Emergency Mitigation (EM) and Feature Flighting services

Due to service-side change, the Exchange Emergency Mitigation (EM) and Exchange Flighting services will be unable to use configuration files released in July 2026 or later, unless Exchange is updated to June 2026 update (or newer). Any mitigations already downloaded and applied will keep working, but servers will not be able to use any new mitigations starting in July 2026 unless updates are installed. Please see Exchange mitigation and flighting services fail due to "Unknown Issuer" error for more details.

CVE-2026-42897 mitigations after installation

As part of our ongoing efforts to strengthen security and improve defenses across environments, we continue to enhance protections for cross-site scripting attacks. We recommend that customers keep CVE-2026-42897 mitigation in place. The mitigation provides an additional layer of defense and helps ensure continuous protection as further improvements are released. Additional updates will be shared as they become available.

Installing the June 2026 update does not automatically remove already applied CVE-2026-42897 mitigations. Therefore, if you choose to remove mitigations after installation, you should:

If mitigation was applied using Exchange Emergency Mitigation (EM) Service:

1. Block the mitigation M2 from re-applying. Because of our recommendation to keep the CVE-2026-42897 mitigation in place, we are not yet updating the mitigation to not apply to servers that are updated to June 2026 SU. Therefore, at this time, you must block the mitigation from re-applying first.
2. Remove the mitigation M2 IIS rules.

If mitigation was applied using the downloadable EOMT script https://aka.ms/UnifiedEOMT:

1. Roll back the mitigation.

Exchange 2016 and 2019 updates are available only under the Period 2 ESU program

Exchange Server 2016 and 2019 are out of support. Only customers who enrolled in the Period 2 Extended Security Update (ESU) program are eligible to receive Exchange Server 2016 and 2019 security updates released between May and October 2026.

If you are not part of the Period 2 ESU program, migrate to Exchange Server Subscription Edition (SE) to keep receiving the latest security updates.

If you have already purchased the Period 2 ESU and need information on accessing the latest Security Updates, please contact us by sending an email to [email protected].

Update installation

The following update paths are available:

• Inventory your Exchange Servers to determine which updates are needed using the Exchange Server Health Checker script. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs, SUs, or manual actions).
• Install the latest CU. Use the Exchange Update Wizard to choose your current CU and your target CU to get directions.
• Re-run the Health Checker after you install an update to see if any further actions are needed.
• After setup is completed, please reboot the server and check that all Exchange services have started properly. If some services are in a disabled state, that indicates that something interrupted installation of the update. Please see the Workaround 1 in this article.
• If you encounter errors during or after installation of Exchange Server, run the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates. Also please see File version error when you try to install Exchange Server updates.

FAQs

When CVE-2026-42897 mitigations were released, there were several reported known issues. Are those solved in the CVE-2026-42897 fix (June 2026 SU)?
Yes, when June 2026 SU is installed and mitigation is removed, known issues should be resolved too. But note that mitigations do not get removed automatically after installation of the SU (and we recommend that you keep then enabled for a little while longer).

If we update some of our servers but cannot update others, can servers that will not receive update stay with CVE-2026-42897 mitigations? Is it OK to have some servers updated and some still using mitigations?
You can continue using mitigations on any servers that you cannot update to June 2026 SU (or newer). But note that known issues from mitigations will continue to apply to those servers. Additionally, after applying this update, Office Online Server (OOS) integration with Exchange Server might not function as expected until all Exchange servers in the organization have been updated.

We updated our servers to June 2026 (or newer) update, but we still have trouble with known issues caused by mitigations. Why is this?
Installing the June 2026 (or newer) update does not automatically remove mitigations. Please see the post above. Currently, we recommend that mitigations stay in place but they can be removed as per the above.

Our organization is in Hybrid mode with Exchange Online. Do we need to do anything?
Exchange Online is already protected, but this SU needs to be installed on your Exchange servers, even if they are used only for management purposes. If you change the auth certificate after installing an SU, you should re-run the Hybrid Configuration Wizard.

The last SU/HU we installed is a few months old. Do we need to install all SUs in order to install the latest one?
SUs are cumulative. If you are running a CU supported by the SU, you do not need to install all SUs or HUs in sequential order; simply install the latest SU. Please see this blog post for more information.

Do we need to install SUs on all Exchange Servers within our organization? What about ‘Management Tools only’ machines?
Our recommendation is to install SUs on all Exchange Servers and all servers and workstations running the Exchange Management Tools to ensure compatibility between management tools clients and servers. If you are trying to update the Exchange Management Tools in the environment with no running Exchange servers, please see this.

Our organization does not have the Exchange 2016 and 2019 Period 2 ESU. How can we get current Exchange 2016 or 2019 updates?
Since Exchange 2016 and 2019 are now out of support, only customers who have enrolled into the Period 2 ESU program (which is valid between May and October 2026) can obtain Exchange 2016 or 2019 updates released after May 2026. For all other customers still running Exchange 2016 or 2019, we recommend that you upgrade your organization to Exchange SE as soon as possible.

Documentation may not be fully available at the time this post is published.

This post might receive future updates; they will be listed here (if available).

The Exchange Server Team