Microsoft has released its July 2026 security updates for Exchange Server, addressing a critical vulnerability, CVE-2026-42897. These updates apply to Exchange Server Subscription Edition (SE), 2016, and 2019. Customers using legacy versions must have an active Extended Security Update (ESU) subscription to access these patches, which are distributed privately to eligible commercial accounts.
Critical Vulnerability CVE-2026-42897 Addressed
The July 2026 update package includes a fix for CVE-2026-42897, a vulnerability classified as "critical" by Microsoft. Before the release of these Security Updates (SUs), Microsoft had provided temporary mitigations to protect systems from potential exploitation. With the patch now available, the company has officially directed IT administrators to remove those previous mitigations immediately after installing the latest update.

Failing to apply the update leaves systems exposed to the vulnerability, even if temporary mitigations were previously configured. Microsoft emphasizes that these SUs are cumulative; installing the July 2026 package will also include all previous security enhancements for the respective server versions.
ESU Requirements for Legacy Exchange Servers
Access to these security patches is restricted. Microsoft provides these updates primarily to customers participating in the Extended Security Update (ESU) program for Exchange Server 2016 and 2019.
- Eligibility: Only commercial customers who have purchased Period 2 of the ESU program can download and deploy these updates.
- Availability: There is no public download link for these files. They are delivered directly to authorized customers through private channels.
- Scope: These updates are essential for on-premises Exchange Server deployments, including those operating in hybrid environments. Microsoft notes that Exchange Online configurations do not require these SUs, as they are managed and patched directly by the service provider.
Guidance for IT Administrators
Microsoft recommends that all organizations currently running supported versions of Exchange Server prioritize the deployment of these patches. For environments that cannot be updated immediately, Microsoft warns that skipping the SUs will result in the continued presence of known issues linked to the temporary mitigations.
Administrators are advised to consult the official Microsoft Exchange documentation for specific details regarding known bugs introduced in this release and for instructions on how to verify the installation status of the patches. By maintaining the ESU subscription, organizations ensure their legacy infrastructure remains protected against emerging threats that have been identified since the end of standard support for those specific Exchange versions.