Microsoft’s July 2026 security updates for Exchange Server patch four vulnerabilities across Exchange Server Subscription Edition RTM, Exchange Server 2019 CU14 and CU15, and Exchange Server 2016 CU23. Administrators should deploy the update to every on-premises Exchange server and every machine running the Exchange Management Tools, including hybrid environments with no local mailboxes.
Detailed by the Exchange Server Team on July 14, the release fixes CVE-2026-55005, CVE-2026-55006, CVE-2026-55008, and CVE-2026-55009. The set includes a remote-code-execution vulnerability, a spoofing flaw, and two elevation-of-privilege vulnerabilities.
Exchange Online is already protected. That exemption does not extend to local Exchange installations used only as management endpoints, nor to workstations carrying the Exchange management components.
The most important operational detail is that installing the July security update does not automatically remove the mitigation previously deployed for CVE-2026-42897. That Outlook Web Access vulnerability was disclosed in May and could allow specially crafted email content to execute JavaScript in the browser when a user opened the message in OWA under particular conditions.
Microsoft distributed temporary protection through the Exchange Emergency Mitigation service and the downloadable Exchange On-premises Mitigation Tool, commonly called EOMT. Those mitigations introduced known side effects, including problems with inline images, calendar printing, published calendars, OWA Light, and some Exchange health checks.
Once the July update is installed, administrators should remove the CVE-2026-42897 mitigation using the procedure appropriate to the method originally used to apply it. The update contains the underlying fix, and Microsoft says the mitigation-related problems should disappear after both actions are complete.
There is, however, a timing complication for organizations using the automated Emergency Mitigation service. Microsoft has started rolling out a service-side change that recognizes the July 2026 build as no longer requiring the mitigation, but the company does not expect that rollout to finish until July 16, 2026. Until a server receives that change, the EM service can reapply the mitigation after an administrator removes it.
That makes the safe sequence straightforward: install the July update, verify the new Exchange build, confirm that the EM service recognizes it as patched, and then remove the old mitigation. Air-gapped environments or organizations that used EOMT should roll back the mitigation through the script rather than waiting for the service-side change.
Servers that cannot yet be updated may continue running with the mitigation. They will remain subject to its known OWA and monitoring issues, however, and should not be treated as equivalent to fully patched systems.
The servicing position is significantly different for Exchange Server 2016 and Exchange Server 2019. Both products are out of support, so their July packages are available only to organizations enrolled in Microsoft’s Period 2 Extended Security Update program.
The supported July update targets are:
For example, Exchange Server 2019 CU14 receives KB5103214, identified as CU14 SU12. Microsoft’s package information says that update replaces the June 2026 release, KB5094142. The July package moves CU14 systems past build 15.02.1544.043, while patched CU15, Exchange 2016 CU23, and Exchange SE installations likewise receive updated product builds specific to their servicing branches.
Organizations running Exchange 2016 or 2019 without the current ESU entitlement cannot obtain these July fixes through normal public servicing. Microsoft’s prescribed route is migration to Exchange Server Subscription Edition rather than continued operation of an unsupported build.
That restriction matters even when an old server carries no user mailboxes. An Exchange installation retained for recipient management, hybrid configuration, SMTP relay, or administrative tooling remains part of the attack surface and still requires security servicing.
Microsoft nevertheless recommends updating all Exchange servers in the organization, rather than leaving a mixed collection of patched systems and servers protected only by the CVE-2026-42897 mitigation. Office Online Server integration may not work as expected until every Exchange server has received the update.
That caveat makes phased deployment more complicated for organizations that use OOS to preview or edit Office documents. A maintenance plan should account for temporary integration failures between the first upgraded Exchange server and the completion of the deployment across the organization.
The Exchange Management Tools should also be updated wherever they are installed. Version differences between management clients and Exchange servers can create compatibility problems, so administrators need to inventory management-only Windows servers and workstations rather than focusing exclusively on mailbox servers.
Hybrid organizations have another post-update consideration. If the Exchange authentication certificate is changed after installing the SU, Microsoft advises rerunning the Hybrid Configuration Wizard to refresh the relationship with Exchange Online.
Administrators should use the Exchange Server Health Checker before and after deployment, reboot each updated server, and verify that all Exchange services return to their expected startup state. Services left disabled after installation can indicate that setup was interrupted or failed before completing its configuration work.
The Exchange Health Checker has been updated to detect their presence. Microsoft says the groups should not be in use and may grant broader permissions than modern Exchange security groups, creating an unnecessary opportunity for abuse.
This cleanup applies even to organizations that have removed their final on-premises Exchange server. Decommissioning the server does not necessarily remove old Exchange objects, groups, permissions, or configuration data from Active Directory.
Administrators should establish that neither legacy group is still referenced before deleting it, then consider a wider Active Directory cleanup if Exchange has been removed completely. The Health Checker’s XML or verbose output may expose these groups even where the associated text report does not make their presence prominent, so checking the complete results is prudent.
The immediate priority remains installing the July 14 security update on Exchange SE and eligible ESU systems. The job is not finished when setup reports success: CVE-2026-42897 mitigations must be retired deliberately, mixed Exchange versions can disrupt Office Online Server, and forgotten management machines or legacy Active Directory groups can leave security work unfinished.
Detailed by the Exchange Server Team on July 14, the release fixes CVE-2026-55005, CVE-2026-55006, CVE-2026-55008, and CVE-2026-55009. The set includes a remote-code-execution vulnerability, a spoofing flaw, and two elevation-of-privilege vulnerabilities.
Exchange Online is already protected. That exemption does not extend to local Exchange installations used only as management endpoints, nor to workstations carrying the Exchange management components.
July’s Update Has a Post-Installation Step
The most important operational detail is that installing the July security update does not automatically remove the mitigation previously deployed for CVE-2026-42897. That Outlook Web Access vulnerability was disclosed in May and could allow specially crafted email content to execute JavaScript in the browser when a user opened the message in OWA under particular conditions.Microsoft distributed temporary protection through the Exchange Emergency Mitigation service and the downloadable Exchange On-premises Mitigation Tool, commonly called EOMT. Those mitigations introduced known side effects, including problems with inline images, calendar printing, published calendars, OWA Light, and some Exchange health checks.
Once the July update is installed, administrators should remove the CVE-2026-42897 mitigation using the procedure appropriate to the method originally used to apply it. The update contains the underlying fix, and Microsoft says the mitigation-related problems should disappear after both actions are complete.
There is, however, a timing complication for organizations using the automated Emergency Mitigation service. Microsoft has started rolling out a service-side change that recognizes the July 2026 build as no longer requiring the mitigation, but the company does not expect that rollout to finish until July 16, 2026. Until a server receives that change, the EM service can reapply the mitigation after an administrator removes it.
That makes the safe sequence straightforward: install the July update, verify the new Exchange build, confirm that the EM service recognizes it as patched, and then remove the old mitigation. Air-gapped environments or organizations that used EOMT should roll back the mitigation through the script rather than waiting for the service-side change.
Servers that cannot yet be updated may continue running with the mitigation. They will remain subject to its known OWA and monitoring issues, however, and should not be treated as equivalent to fully patched systems.
Exchange 2016 and 2019 Are Behind the ESU Gate
Exchange Server Subscription Edition customers can obtain the July update through Microsoft’s regular servicing channels. The SE package is KB5103212, and the Microsoft Update Catalog lists it as a roughly 327MB download.The servicing position is significantly different for Exchange Server 2016 and Exchange Server 2019. Both products are out of support, so their July packages are available only to organizations enrolled in Microsoft’s Period 2 Extended Security Update program.
The supported July update targets are:
- Exchange Server Subscription Edition RTM.
- Exchange Server 2019 CU15 for organizations enrolled in Period 2 ESU.
- Exchange Server 2019 CU14 for organizations enrolled in Period 2 ESU.
- Exchange Server 2016 CU23 for organizations enrolled in Period 2 ESU.
For example, Exchange Server 2019 CU14 receives KB5103214, identified as CU14 SU12. Microsoft’s package information says that update replaces the June 2026 release, KB5094142. The July package moves CU14 systems past build 15.02.1544.043, while patched CU15, Exchange 2016 CU23, and Exchange SE installations likewise receive updated product builds specific to their servicing branches.
Organizations running Exchange 2016 or 2019 without the current ESU entitlement cannot obtain these July fixes through normal public servicing. Microsoft’s prescribed route is migration to Exchange Server Subscription Edition rather than continued operation of an unsupported build.
That restriction matters even when an old server carries no user mailboxes. An Exchange installation retained for recipient management, hybrid configuration, SMTP relay, or administrative tooling remains part of the attack surface and still requires security servicing.
Mixed Builds Can Break Office Online Server
The July security updates are cumulative, so an organization does not need to install every missed security or hotfix update sequentially. A server already running a compatible cumulative update can move directly to the latest July SU.Microsoft nevertheless recommends updating all Exchange servers in the organization, rather than leaving a mixed collection of patched systems and servers protected only by the CVE-2026-42897 mitigation. Office Online Server integration may not work as expected until every Exchange server has received the update.
That caveat makes phased deployment more complicated for organizations that use OOS to preview or edit Office documents. A maintenance plan should account for temporary integration failures between the first upgraded Exchange server and the completion of the deployment across the organization.
The Exchange Management Tools should also be updated wherever they are installed. Version differences between management clients and Exchange servers can create compatibility problems, so administrators need to inventory management-only Windows servers and workstations rather than focusing exclusively on mailbox servers.
Hybrid organizations have another post-update consideration. If the Exchange authentication certificate is changed after installing the SU, Microsoft advises rerunning the Hybrid Configuration Wizard to refresh the relationship with Exchange Online.
Administrators should use the Exchange Server Health Checker before and after deployment, reboot each updated server, and verify that all Exchange services return to their expected startup state. Services left disabled after installation can indicate that setup was interrupted or failed before completing its configuration work.
Health Checker Now Flags Exchange 2003-Era Groups
Alongside the July release, Microsoft is drawing attention to two deprecated Active Directory security groups: Exchange Domain Servers and Exchange Enterprise Servers. These groups have been obsolete since Exchange Server 2007 but may still exist in domains that have undergone multiple generations of Exchange upgrades.The Exchange Health Checker has been updated to detect their presence. Microsoft says the groups should not be in use and may grant broader permissions than modern Exchange security groups, creating an unnecessary opportunity for abuse.
This cleanup applies even to organizations that have removed their final on-premises Exchange server. Decommissioning the server does not necessarily remove old Exchange objects, groups, permissions, or configuration data from Active Directory.
Administrators should establish that neither legacy group is still referenced before deleting it, then consider a wider Active Directory cleanup if Exchange has been removed completely. The Health Checker’s XML or verbose output may expose these groups even where the associated text report does not make their presence prominent, so checking the complete results is prudent.
The immediate priority remains installing the July 14 security update on Exchange SE and eligible ESU systems. The job is not finished when setup reports success: CVE-2026-42897 mitigations must be retired deliberately, mixed Exchange versions can disrupt Office Online Server, and forgotten management machines or legacy Active Directory groups can leave security work unfinished.
References
- Primary source: Microsoft Exchange Team Blog
Published: Tue, 14 Jul 2026 17:18:39 GMT
- Official source: support.microsoft.com
Опис оновлення системи безпеки для Microsoft Exchange Server 2016 CU23
Опис оновлення системи безпеки для Microsoft Exchange Server 2016 CU23: 09 червня 2026 р. (KB5094144)support.microsoft.com