Exchange Team Blog

3 MIN READ

Released: October 2025 Exchange Server Security Updates

The_Exchange_Team

Platinum Contributor

Oct 14, 2025

Microsoft has released Security Updates (SUs) for vulnerabilities found in:

Exchange Server Subscription Edition (SE)
Exchange Server 2019
Exchange Server 2016

SUs are available for the following specific versions of Exchange Server:

Exchange SE RTM
Exchange Server 2019 CU14 and CU15
Exchange Server 2016 CU23

The October 2025 SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to immediately install these updates to protect your environment.

These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed by these SUs and do not need to take any action other than updating any Exchange servers or Exchange Management tools workstations in their environment.

More details about specific CVEs can be found in the Security Update Guide (filter on Server Software under Product Family).

Last publicly released updates for Exchange 2016 and 2019

October 2025 SUs are the last publicly available SUs for Exchange Server 2016 and 2019. From this point forward, only customers who contacted their Microsoft Account Teams to get the Extended Security Update (ESU) for those versions will receive new SUs that we might release for Exchange 2016 and 2019, through April 2026.

Our recommendation is that you upgrade your organization to Exchange SE rather than get the Exchange 2016 and 2019 ESU. Please remember that starting with Exchange SE CU2, there will be no more coexistence with Exchange 2016 and 2019 (CU2 will block installation if any build of Exchange 2016 or 2019 are present in the organization).

Auth Certificate export no longer possible via Export-ExchangeCertificate

Starting October 2025 SU, exporting the Exchange Server Auth Certificate and its private key with Export-ExchangeCertificate will be blocked for added security (see KB5069337 for details). The Auth Certificate is crucial for securing Exchange Server workloads, and exporting its private key is rarely needed. For Auth Certificate issues, use the MonitorExchangeAuthCertificate PowerShell script to assist with troubleshooting.

Update installation

The following update paths are available:

Inventory your Exchange Servers to determine which updates are needed using the Exchange Server Health Checker script. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs, SUs, or manual actions).
Install the latest CU. Use the Exchange Update Wizard to choose your current CU and your target CU to get directions.
Re-run the Health Checker after you install an update to see if any further actions are needed.
If you encounter errors during or after installation of Exchange Server, run the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates. Also please see File version error when you try to install Exchange Server updates.

FAQs

Our organization is in Hybrid mode with Exchange Online. Do we need to do anything?
Exchange Online is already protected, but this SU needs to be installed on your Exchange servers, even if they are used only for management purposes. If you change the auth certificate after installing an SU, you should re-run the Hybrid Configuration Wizard.

The last SU/HU we installed is a few months old. Do we need to install all SUs in order to install the latest one?
SUs are cumulative. If you are running a CU supported by the SU, you do not need to install all SUs or HUs in sequential order; simply install the latest SU. Please see this blog post for more information.

Do we need to install SUs on all Exchange Servers within our organization? What about ‘Management Tools only’ machines?
Our recommendation is to install SUs on all Exchange Servers and all servers and workstations running the Exchange Management Tools to ensure compatibility between management tools clients and servers. If you are trying to update the Exchange Management Tools in the environment with no running Exchange servers, please see this.

Documentation may not be fully available at the time this post is published.

This post might receive future updates; they will be listed here (if available).

The Exchange Server Team

Updated Oct 15, 2025

Version 2.0

Platinum Contributor

Joined April 19, 2019

View Profile

Exchange Team Blog

You Had Me at EHLO.

12 Comments

Peter222012144
Copper Contributor
Oct 20, 2025
Just updated a two server DAG (Windows 2019 Server and Exchange SE RTM) with october SU and october windows updates. No issues so far. And have not seen any IIS issue here.
harrissg
MCT
Oct 20, 2025
Any known issues for windows server 2019 dag and subscription edition ?The IIS issue affects only 2022 and 2025 windows versions?
LIRO-Bwi
Copper Contributor
Oct 20, 2025
Hi,
after SE RTM SU 3 the latest health checker reports that it can't verify AD membership because the results are empty. However, the servers are still included in the "Exchange Servers" and "Exchange Trusted Subsystem" groups.
Does anyone else have a similar result?
And yes, the shell had been run as administrator.
- ManleyDOA
  Copper Contributor
  Oct 20, 2025
  I had this "Exchange Server Membership Failed" issue on 2019 and SE before SU3. And it continues after SU3. I tried the troubleshooting fixes before and no luck. One MS tech said to just ignore this as it isn't a big deal.
  - Nino_Bilic
    Microsoft
    Oct 20, 2025
    There seems to be an issue open against Health Checker on this, and it seems related to a SID that does not resolve anymore, please see here: Exchange Server Membership - Health Checker · Issue #2381 · microsoft/CSS-Exchange
macsneil
Copper Contributor
Oct 20, 2025
Have there been been any issues observed with a combination of the October SU and the latest Windows Server Update KB5066835? We are running Exchange SE RTM on Server 2022 and when I patched the server at the weekend , the patches failed to install and then IIS simply refused to start no matter what fixes I tried. There are known issues with that Windows update causing issues with IIS, most especially killing localhost across desktop and server versions, I just wondered you have observed any similar behaviour.
- ManleyDOA
  Copper Contributor
  Oct 20, 2025
  I don't have anything to add to help you, but I'm curious if you figured this out on your end and/or if you have any more information? We have not installed the latest October 2025 server updates yet, so this piqued my interest.
  - macsneil
    Copper Contributor
    Oct 20, 2025
    I haven't had a chance to take a proper look at it yet. I restored the Exchange server from the backup I took before patching so am back to square one. I'll try manually installing the SU first when I can schedule some downtime. The mitigation for the IIS problems includes disabling HTTP/2 in the registry which I haven't tried. I am not sure how this would affect Exchange operation.
SebastianDiezibesAG
Copper Contributor
Oct 20, 2025
Hello,
We have MS Exchange Server SE RTM incl. SU August 2025 (.20) installed on a Windows Server 2025, and SU October 2025 is also installed. This is the German version.
The install file and the website say 15.2.2562.29, but if you check InformationStore.exe after successful installation, the ID is only 28 (15.2.2562.28). I just wanted to let MS know about this; the latest Health Checker isn't complaining either.
- LukasSMSFT
  Microsoft
  Oct 20, 2025
  Thank you for your feedback. This is expected behavior: not all files display the latest version number. This happens because multiple builds are created during the update process. If adjustments are made after a build is generated, not every file is rebuilt, so some may still show the previous build number.
  
  To verify that you’re on the latest SU build, use Option 2 as described here: https://learn.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates#option-2
mcollinson
Copper Contributor
Oct 16, 2025
The https://aka.ms/ExchangeUpdateWizard link doesn't have options for Exchange SE. You might want to update it to include it, or clarify the advice here.
- LukasSMSFT
  Microsoft
  Oct 16, 2025
  Thanks for your feedback. This is already in the making and should become available within the next 1-2 weeks.

Blog Post

Released: October 2025 Exchange Server Security Updates

Last publicly released updates for Exchange 2016 and 2019

Auth Certificate export no longer possible via Export-ExchangeCertificate

Update installation

FAQs