On July 14, Microsoft released a set of security updates for Exchange Server that patch four newly disclosed vulnerabilities—including a remote code execution flaw—and deliver a permanent fix for the previously mitigated CVE-2026-42897. However, the installation is only half the job; administrators must manually retire the old mitigation only after a service-side change rolls out by July 16, or risk having it automatically reapplied.
Microsoft’s Exchange Team detailed the updates in a blog post, stressing that the job isn’t finished when setup reports success. For organizations that deployed the temporary mitigation for the May Outlook Web Access spoofing bug, leaving it in place after patching can cause ongoing issues with inline images, calendar printing, published calendars, OWA Light, and some Exchange health checks. But removing it too soon could backfire if the Exchange Emergency Mitigation service hasn’t yet recognized the new build as patched.
The July Exchange Updates: What’s Fixed and Where
The July 2026 security update bundles address four newly assigned CVEs:
- CVE-2026-55005 – Remote Code Execution
- CVE-2026-55006 – Spoofing
- CVE-2026-55008 – Elevation of Privilege
- CVE-2026-55009 – Elevation of Privilege
In addition, the update carries the final remedy for CVE-2026-42897, the OWA spoofing vulnerability disclosed in May. Until now, admins had to rely on the Exchange Emergency Mitigation service or the standalone Exchange On-premises Mitigation Tool (EOMT) to block exploitation. That workaround introduced well-documented side effects, and the update itself now contains the underlying fix, eliminating the need for the stopgap.
The patches are available for the following versions:
| Exchange Version | KB Number | Availability |
|---|---|---|
| Exchange Server Subscription Edition RTM | KB5103212 | Standard servicing channels |
| Exchange Server 2019 CU15 | (check ESU portal) | Period 2 ESU required |
| Exchange Server 2019 CU14 | KB5103214 | Period 2 ESU required |
| Exchange Server 2016 CU23 | (check ESU portal) | Period 2 ESU required |
Exchange Online tenants are already protected and need no action. But on-premises servers—even those used solely for management, hybrid configuration, or SMTP relay—remain part of the attack surface until updated.
The Old Mitigation Trap: Why You Must Wait Until July 16
Here’s the part that will catch many admins off guard: installing the July update does not automatically remove the CVE-2026-42897 mitigation. In fact, if you use the automated Emergency Mitigation service, ripping it out right after patching can be a mistake.
Microsoft is rolling out a server-side change that tells the EM service the July build is no longer vulnerable. That rollout is expected to complete by July 16, 2026. Until your server receives that signal, the EM service may reapply the old mitigation, even though you’ve already deployed the fixed code. The result: you’re stuck with the same OWA hiccups and monitoring blind spots you were trying to escape.
The safe sequence is:
- Install the July security update on the target Exchange server.
- Reboot and verify that all Exchange services start normally.
- Check the new build number against Microsoft’s documentation to confirm the update is properly applied.
- Wait for the EM service to acknowledge the server as patched. Microsoft says this should happen automatically by July 16.
- Once acknowledged, remove the CVE-2026-42897 mitigation using the appropriate method:
- If you applied it via the EM service, no manual removal is needed once the service stops reapplying it.
- If you used the EOMT script, run the rollback procedure documented for that tool.
For air-gapped environments or organizations that deployed EOMT manually, there’s no dependency on the cloud-side change. You can—and should—roll back the mitigation via the script immediately after updating, since the EM service isn’t involved.
Servers that cannot be updated right away should keep the mitigation active and understand they’re still exposed to its known OWA and health-check problems. But don’t treat them as equivalent to patched systems; they remain partially protected at best.
ESU Gatekeepers: Who Can Actually Get These Updates
Exchange Server 2016 and Exchange Server 2019 are out of support. Their July security packages are not available through public download channels. Only organizations enrolled in Period 2 of the Extended Security Update program can obtain them.
Period 2 covers security updates released from May through October 2026. Having purchased an earlier ESU period doesn’t automatically grant access to the July fixes; you must be enrolled in Period 2. Microsoft’s advice is blunt: if you’re still running Exchange 2016 or 2019 without an active ESU license, the prescribed path is migration to Exchange Server Subscription Edition.
That restriction matters even when an old server carries no user mailboxes. An Exchange installation retained for recipient management, hybrid configuration, SMTP relay, or administrative tooling still requires security servicing. Microsoft has made it clear: every machine with Exchange bits—including management workstations running the Exchange Management Tools—must be updated.
Beyond the Patch: Mixed Builds, Management Tools, and Legacy Groups
Mixed builds can break Office Online Server. Microsoft warns that leaving some Exchange servers on the old mitigation-only approach while others are fully patched may cause integration failures with Office Online Server. If you use OOS to preview or edit Office documents, plan your deployment to minimize the window where some servers have the update and others don’t. In a multi-server environment, aim to patch all Exchange servers within the same maintenance window.
Update management workstations, too. The Exchange Management Tools need the same security update as the servers they talk to. Version mismatches can lead to compatibility problems. Inventory all Windows servers and PCs that host the tools and include them in your update scope.
Rerun the Hybrid Configuration Wizard if you change the auth certificate. In hybrid setups, if you replace the Exchange authentication certificate after applying the July SU, Microsoft recommends running the Hybrid Configuration Wizard again to refresh the trust with Exchange Online.
Health Checker now flags deprecated AD groups. Alongside the July release, the Exchange Server Health Checker has been updated to detect two long-obsolete Active Directory security groups: Exchange Domain Servers and Exchange Enterprise Servers. These groups date back to Exchange Server 2007 and should no longer be in use. They may grant broader permissions than modern Exchange security principals, creating an unnecessary privilege-escalation risk. Check the Health Checker’s XML or verbose output—the groups might not appear in the summary text report. After verifying they aren’t actively referenced, delete them. This cleanup applies even if you’ve already decommissioned your last on-premises Exchange server; old AD objects often survive the decommissioning process.
Your Post-Patch Checklist
- Install the July SU on every Exchange server (mailbox and management-only) and every machine with Exchange Management Tools.
- Reboot and verify services – use the Health Checker script before and after to catch configuration drift.
- Check the build number – Microsoft publishes the expected builds for each supported version; confirm yours matches.
- Wait for the EM service signal – until July 16, don’t remove the CVE-2026-42897 mitigation if you’re relying on the automated service. In air-gapped or EOMT scenarios, roll back immediately after updating.
- Retire the mitigation – follow the documented rollback for your original deployment method.
- Validate OWA functionality – once mitigation is removed, test inline images, calendar printing, and OWA Light to ensure the side effects are gone.
- Re-run Health Checker – identify any leftover issues, including the newly flagged legacy AD groups.
- If hybrid, review certificates and HCW – re-run the wizard if the auth cert changed.
- If using Office Online Server, monitor integration – a mixed-version environment can cause failures; patch all servers quickly.
What’s Next for Exchange
The July update underscores Microsoft’s accelerating push away from legacy Exchange versions. With Exchange 2016 and 2019 locked behind ESU, and Exchange Server Subscription Edition now the primary supported platform, organizations that haven’t yet migrated must weigh the mounting cost of extended support against the effort of upgrading. The July patches also highlight a maturing update rhythm: cumulative updates that demand more than just a “set and forget” approach. As the EM service becomes smarter and the interplay between Microsoft’s cloud-side protections and on-premises actions grows tighter, admins will need to follow release notes closely—not just to install the bits, but to complete the entire remediation dance.