Microsoft’s July 2026 security update fixes CVE-2026-55005, an 8.8-rated remote code execution vulnerability in on-premises Exchange Server caused by a heap-based buffer overflow. An attacker needs a valid low-privilege account, but can exploit the flaw over the network without user interaction and potentially compromise the confidentiality, integrity, and availability of the server.
Microsoft published the advisory on July 14, 2026, as part of its monthly security release. The Microsoft Security Response Center rates the vulnerability Important rather than Critical because exploitation requires authentication, but that distinction should not push the update down an Exchange administrator’s queue.
The flaw affects Exchange Server Subscription Edition RTM, Exchange Server 2019 CU14 and CU15, and Exchange Server 2016 CU23. Microsoft’s Exchange Team has released July security updates for those branches, although access to the Exchange 2016 and Exchange 2019 packages is restricted to organizations enrolled in the applicable Extended Security Update program.
CVE-2026-55005 is classified as a heap-based buffer overflow under CWE-122. Microsoft’s description says an authorized attacker can trigger the memory-corruption condition remotely and execute code on the Exchange server.
Its CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, the attack crosses the network, does not require unusual timing or a race condition, needs only low privileges, and does not depend on an administrator opening a file or clicking a link.
The authentication requirement matters, but it is not a particularly reassuring barrier for an internet-facing messaging system. Attackers routinely acquire working credentials through password spraying, infostealer logs, phishing, credential reuse, help-desk manipulation, and compromise of synchronized cloud identities.
That makes CVE-2026-55005 especially relevant after an initial account takeover. A mailbox credential that would ordinarily provide access to email and collaboration data could reportedly become the entry point for code execution on the Exchange host itself.
The result is not the classic unauthenticated Exchange worm scenario, and Microsoft had not listed CVE-2026-55005 as publicly disclosed or exploited in the wild at publication time. The Zero Day Initiative’s July 2026 update review likewise recorded the vulnerability as neither public nor under active attack.
That is a snapshot, not a guarantee. Once patches are available, attackers can compare updated and unpatched binaries to identify the changed code, a process known as patch diffing. Exchange servers that remain behind become easier targets as technical understanding of the fix spreads.
Exchange Server Subscription Edition is the current on-premises branch and receives the publicly available security update. Exchange Server 2016 and Exchange Server 2019 reached the end of standard support on October 14, 2025, so their July 2026 updates are available only through Microsoft’s Period 2 ESU program.
That support boundary creates a serious operational divide. An organization running Exchange 2016 CU23 or Exchange 2019 CU14/CU15 without Period 2 ESU cannot treat CVE-2026-55005 as a normal Windows Update exercise; it must obtain ESU entitlement or move to Exchange Server Subscription Edition.
Exchange Online customers are already protected in Microsoft’s service and do not need to deploy an Exchange Online patch. Hybrid organizations still need to inspect every on-premises Exchange server and any workstation carrying Exchange Management Tools, because moving mailboxes to Microsoft 365 does not automatically remove the local Exchange footprint.
In a multi-server organization, leaving one node unpatched preserves an attack path. Internal-only Exchange servers should not be considered safe merely because a reverse proxy or firewall prevents direct internet access; an attacker who already controls a workstation or account can reach services from inside the network.
After deployment, administrators should confirm the new build number and run Microsoft’s Exchange Server Health Checker. They should also inspect Exchange setup logs, verify that core services restarted, test mail flow and client access, and review monitoring systems for new authentication or application errors.
Organizations should pay particular attention to environments integrated with Office Online Server. Microsoft has cautioned in its Exchange update guidance that OOS integration may not work as expected during mixed-version operation, making an orderly rollout across all Exchange servers important rather than optional.
The July update also arrives immediately after Microsoft changed requirements around the Exchange Emergency Mitigation and Feature Flighting services. Servers needed the June 2026 security update or newer to process mitigation configuration files released from July onward because of an issuer-validation change. A server that missed June and now misses July risks being both vulnerable to CVE-2026-55005 and unable to consume future emergency mitigations correctly.
Resetting every user password is not automatically warranted when there is no evidence of compromise. However, exposed credentials, stale privileged accounts, service accounts with interactive access, and identities showing suspicious sign-in activity should be remediated rather than left as possible inputs to the vulnerability.
Network controls can reduce exposure but do not replace the update. Restricting administrative endpoints, requiring multifactor authentication where supported, disabling unused services, limiting external access, and enforcing account lockout or smart-lockout policies all make it harder to obtain or use the low-privilege credentials required for the attack.
Microsoft has confirmed the vulnerability and supplied an official fix, giving the advisory’s report-confidence metric its strongest value. That does not mean exploit code is public; it means the flaw and its technical classification are no longer speculative.
For Exchange administrators, the immediate milestone is concrete: every server should report at least build 15.1.2507.71, 15.2.1544.43, 15.2.1748.48, or 15.2.2562.45, depending on its servicing branch. Any lower build remains exposed to an authenticated, network-reachable path from a compromised account to code execution on one of the organization’s most security-sensitive servers.
Microsoft published the advisory on July 14, 2026, as part of its monthly security release. The Microsoft Security Response Center rates the vulnerability Important rather than Critical because exploitation requires authentication, but that distinction should not push the update down an Exchange administrator’s queue.
The flaw affects Exchange Server Subscription Edition RTM, Exchange Server 2019 CU14 and CU15, and Exchange Server 2016 CU23. Microsoft’s Exchange Team has released July security updates for those branches, although access to the Exchange 2016 and Exchange 2019 packages is restricted to organizations enrolled in the applicable Extended Security Update program.
A Valid Mailbox Account Is the Starting Point
CVE-2026-55005 is classified as a heap-based buffer overflow under CWE-122. Microsoft’s description says an authorized attacker can trigger the memory-corruption condition remotely and execute code on the Exchange server.Its CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, the attack crosses the network, does not require unusual timing or a race condition, needs only low privileges, and does not depend on an administrator opening a file or clicking a link.
The authentication requirement matters, but it is not a particularly reassuring barrier for an internet-facing messaging system. Attackers routinely acquire working credentials through password spraying, infostealer logs, phishing, credential reuse, help-desk manipulation, and compromise of synchronized cloud identities.
That makes CVE-2026-55005 especially relevant after an initial account takeover. A mailbox credential that would ordinarily provide access to email and collaboration data could reportedly become the entry point for code execution on the Exchange host itself.
The result is not the classic unauthenticated Exchange worm scenario, and Microsoft had not listed CVE-2026-55005 as publicly disclosed or exploited in the wild at publication time. The Zero Day Initiative’s July 2026 update review likewise recorded the vulnerability as neither public nor under active attack.
That is a snapshot, not a guarantee. Once patches are available, attackers can compare updated and unpatched binaries to identify the changed code, a process known as patch diffing. Exchange servers that remain behind become easier targets as technical understanding of the fix spreads.
The Fixed Builds Define the Exposure
The CVE record identifies four affected servicing branches and the build levels containing the correction:- Exchange Server 2016 CU23 installations earlier than build 15.1.2507.71 remain affected.
- Exchange Server 2019 CU14 installations earlier than build 15.2.1544.43 remain affected.
- Exchange Server 2019 CU15 installations earlier than build 15.2.1748.48 remain affected.
- Exchange Server Subscription Edition RTM installations earlier than build 15.2.2562.45 remain affected.
Exchange Server Subscription Edition is the current on-premises branch and receives the publicly available security update. Exchange Server 2016 and Exchange Server 2019 reached the end of standard support on October 14, 2025, so their July 2026 updates are available only through Microsoft’s Period 2 ESU program.
That support boundary creates a serious operational divide. An organization running Exchange 2016 CU23 or Exchange 2019 CU14/CU15 without Period 2 ESU cannot treat CVE-2026-55005 as a normal Windows Update exercise; it must obtain ESU entitlement or move to Exchange Server Subscription Edition.
Exchange Online customers are already protected in Microsoft’s service and do not need to deploy an Exchange Online patch. Hybrid organizations still need to inspect every on-premises Exchange server and any workstation carrying Exchange Management Tools, because moving mailboxes to Microsoft 365 does not automatically remove the local Exchange footprint.
Patch the Organization, Not Just the Internet-Facing Node
Exchange updates should be installed from an elevated command prompt using Microsoft’s documented process, with maintenance time allowed for service interruption. Administrators should first confirm that the server is on a supported cumulative-update baseline, check available disk space, preserve recoverable backups, and record the current configuration.In a multi-server organization, leaving one node unpatched preserves an attack path. Internal-only Exchange servers should not be considered safe merely because a reverse proxy or firewall prevents direct internet access; an attacker who already controls a workstation or account can reach services from inside the network.
After deployment, administrators should confirm the new build number and run Microsoft’s Exchange Server Health Checker. They should also inspect Exchange setup logs, verify that core services restarted, test mail flow and client access, and review monitoring systems for new authentication or application errors.
Organizations should pay particular attention to environments integrated with Office Online Server. Microsoft has cautioned in its Exchange update guidance that OOS integration may not work as expected during mixed-version operation, making an orderly rollout across all Exchange servers important rather than optional.
The July update also arrives immediately after Microsoft changed requirements around the Exchange Emergency Mitigation and Feature Flighting services. Servers needed the June 2026 security update or newer to process mitigation configuration files released from July onward because of an issuer-validation change. A server that missed June and now misses July risks being both vulnerable to CVE-2026-55005 and unable to consume future emergency mitigations correctly.
Credential Monitoring Becomes Part of the Response
Because exploitation requires an authorized account, patching should be paired with a focused review of credential and Exchange activity. Administrators should investigate unexplained mailbox sign-ins, unusual source addresses, repeated authentication attempts, unexpected PowerShell or administrative activity, newly assigned roles, and anomalous access to Exchange web endpoints.Resetting every user password is not automatically warranted when there is no evidence of compromise. However, exposed credentials, stale privileged accounts, service accounts with interactive access, and identities showing suspicious sign-in activity should be remediated rather than left as possible inputs to the vulnerability.
Network controls can reduce exposure but do not replace the update. Restricting administrative endpoints, requiring multifactor authentication where supported, disabling unused services, limiting external access, and enforcing account lockout or smart-lockout policies all make it harder to obtain or use the low-privilege credentials required for the attack.
Microsoft has confirmed the vulnerability and supplied an official fix, giving the advisory’s report-confidence metric its strongest value. That does not mean exploit code is public; it means the flaw and its technical classification are no longer speculative.
For Exchange administrators, the immediate milestone is concrete: every server should report at least build 15.1.2507.71, 15.2.1544.43, 15.2.1748.48, or 15.2.2562.45, depending on its servicing branch. Any lower build remains exposed to an authenticated, network-reachable path from a compromised account to code execution on one of the organization’s most security-sensitive servers.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: techcommunity.microsoft.com
- Official source: download.microsoft.com
- Official source: support.microsoft.com
- Official source: learn.microsoft.com
Which Exchange 2016 CU are vulnerable to vulnerabilities CVE-2021-34473, CVE-2021-34523, CVE-2021-31207? - Microsoft Q&A
Hello, colleagues. Please tell me, do these vulnerabilities affect all CU Exchange 2016? And are these vulnerabilities present in Exchange 2010? Or did these vulnerabilities appear only in CU19 and CU20?learn.microsoft.com - Related coverage: media.defense.gov