Blog Post

Exchange Team Blog
5 MIN READ

Released: June 2026 Exchange Server Security Updates

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Jun 09, 2026
Microsoft has released Security Updates (SUs) for vulnerabilities found in: Exchange Server Subscription Edition (SE) Exchange Server 2019 Exchange Server 2016 SUs are available for the f...
Updated Jun 11, 2026
Version 3.0
administration
announcements
exchange 2016
exchange 2019
exchange se
on premises
security
setup
broland's avatar
broland
Iron Contributor
Jun 09, 2026

I hate to be a nitpicker but the FAQ "When CVE-2026-42897 mitigations were released, there were several reported known issues. Are those solved in the CVE-2026-42897 fix (June 2026 SU)?" I would respectfully say the answer is "no."  You say they are, as long as you remove the mitigations.  Well if I remove the mitigations without the security update they are also "solved" by that logic.  But you're also recommending leaving the mitigations in place (despite it allegedly being fixed), which means the known issues will continue to exist.  I don't know maybe it's just me.

 

Also KB5094139 states that "The fix for CVE-2026-45583 is not included in the Security Update, please follow the instructions mentioned in the CVE documentation to address this vulnerability." but when I click on the CVE documentation it seems to suggest the fix is to install the Security Update and manually download and replace some Public Folders scripts?  Is that right?

Nino_Bilic's avatar
Nino_Bilic
Icon for Microsoft rankMicrosoft
Jun 09, 2026

Your first point is fair as it might sound like we want to keep the cake and eat it too. But I want to be clear: June 2026 fix DOES fix CVE-2026-42897. The CVE itself was updated to say that this update is the fix. Install it and it is fixed.

But indeed, we are doing some more work in adjacent areas. We are recommending keeping mitigation out of abundance of caution. We are not aware of any new ongoing attack or anything like that, but there is more we want to do here. We also know that some of our customers are really hurting due to mitigation known issues and that is why we are providing options (and information how to block/remove mitigations, if so desired, after installing the update). We would not tell you this if we did not fix CVE-2026-42897.

Your interpretation of CVE-2026-45583 - Security Update Guide - Microsoft - Microsoft Exchange Server Remote Code Execution Vulnerability is right. The issue with "built-in scripts" is something that we cannot truly fix outside of the Cumulative Update (which June 2026 release is not) so we are asking folks who need the scripts to download them from GitHub. In fact, we will remove those scripts from installation media in a future CU.

  • broland's avatar
    broland
    Iron Contributor
    Jun 10, 2026

    Thanks Nino_Bilic​.  My intention was not to be pedantic, rather I just wasn't entirely clear on either point. As always, the Exchange team is awesome.