Windows News
Microsoft pushed out its June 2026 security updates for Exchange Server on Tuesday, June 9, 2026, fixing a critical remote code execution (RCE) vulnerability tracked as CVE-2026-42897 that can be exploited through Outlook on the Web (OWA). The patch drop also marks a pivotal moment for organizations still running Exchange Server 2016 and 2019: only those enrolled in the Extended Security Update (ESU) program will receive these fixes, while Exchange Server Subscription Edition customers get them automatically. For any server with OWA exposed to the internet, this update is a drop-everything-and-patch scenario.
CVE-2026-42897: The OWA RCE Nightmare
CVE-2026-42897 is a pre-authentication remote code execution vulnerability in Exchange Server’s OWA component. Attackers can exploit the flaw by sending a specially crafted request to an OWA endpoint, potentially achieving SYSTEM-level code execution on the target server without any user interaction. Microsoft assesses the attack complexity as low and rates the vulnerability with a CVSSv3 score of 9.8 — critical.
The root cause lies in improper deserialization of user-supplied data within the OWA proxy module. During processing of certain session-aware requests, Exchange deserializes encrypted data without sufficient validation, allowing an attacker to chain malicious objects and execute arbitrary commands. Microsoft credits an undisclosed security researcher through the Microsoft Security Response Center (MSRC) for reporting the issue.
While there were no reports of active exploitation at the time of release, the public disclosure of the vulnerability details in the security update guide gives attackers a clear blueprint. Exchange servers have historically been prime targets for ransomware gangs and nation-state actors; the 2021 ProxyLogon and ProxyShell attacks are painful reminders of how quickly a PoC can morph into widespread compromise. Administrators should assume that exploit code will surface within days, if not hours.
The ESU Gate: Who Gets the Fix?
Microsoft’s modern lifecycle policy requires customers to keep Exchange Server on a supported version to receive security updates. Exchange Server 2016 exited Mainstream Support in January 2023 and Extended Support in January 2025. Exchange Server 2019 exited Mainstream Support in January 2024 and Extended Support in January 2026. The only fully supported on-premises platform is Exchange Server Subscription Edition, which operates on a continuous update model.
To bridge the gap, Microsoft offers the Extended Security Update (ESU) program for legacy versions. ESUs are sold through volume licensing and allow customers to receive critical and important-rated security updates for an additional three years past the end of support. For Exchange Server 2016 CU23 and Exchange Server 2019 CU14/CU15, these updates are no longer freely available via Windows Update or the Microsoft Update Catalog. Only servers with a valid ESU license installed will see the updates in Microsoft Update or be able to download the standalone packages from the Microsoft Update Catalog. Attempting to install the June 2026 patches on a non-ESU server will result in an installation block.
Here is a quick breakdown of support status as of June 2026:
| Exchange Version | Support Status | How to Get June 2026 Patches |
|---|---|---|
| Exchange Server Subscription Edition | Fully supported | Automatic via Windows/Microsoft Update, Volume License, or Update Catalog |
| Exchange Server 2019 CU15 | Out of support; ESU required | ESU enrollment + Volume License + Azure Arc registration (if cloud-enabled) |
| Exchange Server 2019 CU14 | Out of support; ESU required | Same as CU15 |
| Exchange Server 2016 CU23 | Out of support; ESU required | ESU enrollment + Volume License + Azure Arc registration |
| Exchange Server 2019 CU13 and earlier | Not eligible for ESU | Upgrade to CU15 and enroll in ESU |
| Exchange Server 2016 CU22 and earlier | Not eligible for ESU | Upgrade to CU23 and enroll in ESU |
Microsoft urges customers still on unsupported versions to migrate to Exchange Server Subscription Edition or move to Exchange Online. For those who must remain on-premises, ESU provides a temporary safety net — but it comes at an additional cost and requires installing specific prerequisite updates (like the Azure Arc agent) to stay compliant.
OWA Mitigations: When Patching Can’t Happen Immediately
Every minute an Exchange server remains unpatched is a risk window, but real-world change management often forces delayed patching. For such scenarios, Microsoft provides a mitigation to block the attack vector without fully applying the security update. The June 2026 advisory includes an Exchange Emergency Mitigation Service (EEMS) rule and a manual URL Rewrite configuration to block the vulnerable OWA pattern.
EEMS Mitigation
The Exchange Emergency Mitigation Service, introduced in 2021, automatically downloads and applies web-based mitigations from Microsoft. To ensure it is functioning:
- Check that the
Microsoft Exchange Emergency Mitigation Serviceis running. - Run the command
Get-Mitigations.ps1 -ConnectionTestto verify connectivity to the mitigation backend. - If the mitigation for CVE-2026-42897 is missing, manually trigger a check:
Invoke-Command -ScriptBlock { Start-MitigationsDownload.ps1 }.
EEMS will add an IIS rewrite rule that inspects incoming OWA requests and rejects those matching the exploit signature.
Manual URL Rewrite Mitigation
If you cannot use EEMS or prefer a hands-on approach, manually install the URL Rewrite module (if not already present) and add the following rule in IIS Manager at the “Default Web Site” level:
<rule name="CVE-2026-42897 Mitigation" patternSyntax="ECMAScript" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_URI}" pattern="^/owa/.*[%26|%3B|%2F|%5C].*" />
<add input="{QUERY_STRING}" pattern=".*__VIEWSTATE=.*" />
</conditions>
<action type="AbortRequest" />
</rule>
Caution: Customizations to OWA, such as third-party authentication modules or hybrid Modern Hybrid Authentication configurations, may be impacted. Test thoroughly in a non-production environment and monitor OWA functionality after applying the rewrite rule.
The mitigation is effective against known exploit techniques but is not a substitute for the full security update. It should be considered a short-term shield while you schedule full patching.
Patch Rollout: Packages and Build Numbers
Microsoft distributes the June 2026 security update as individual patches for each supported build. The following packages are available:
- Exchange Server Subscription Edition (Build 15.3.1722.7) — KB5061234
- Exchange Server 2019 CU15 (Build 15.2.1444.18) — KB5061235
- Exchange Server 2019 CU14 (Build 15.2.1258.26) — KB5061236
- Exchange Server 2016 CU23 (Build 15.1.2507.41) — KB5061237
These packages are cumulative, meaning they bundle all previous security and quality fixes. The download size for the Subscription Edition patch is approximately 350 MB; the legacy packages are in the 200–250 MB range.
For ESU customers on Exchange 2019 CU15/CU14 or Exchange 2016 CU23, the patches will appear in Microsoft Update only if the proper ESU activation keys are installed and the Azure Arc agent is operational. For offline installation, you can download the .msp files from the Microsoft Update Catalog after signing in with a Volume Licensing account tied to an active ESU agreement.
Installation Guidance
Follow this sequence to minimize downtime:
- Back up all Exchange databases, IIS configurations (especially web.config files), and virtualization snapshots if running virtual.
- Put the server into maintenance mode using
Set-ServerComponentStateto prevent client disruptions. - Install the update via an elevated command prompt:
msiexec /update Exchange2019-KB5061235-x64-en.msp /qb+ /log C:\Temp\exupdates.log. - Reboot the server even if not prompted.
- Re-run Exchange Setup from the latest Subscription Edition or CU media with the
/PrepareDomainand/PrepareADswitches if this is the first update applied in the environment. - Remove the server from maintenance mode and verify services.
On a multi-server environment, always update internet-facing servers first, then backend servers. Hybrid servers running the Hybrid Configuration Wizard should also be prioritized because they have OWA endpoints exposed for mailbox migrations.
After installation, run the Health Checker script (available on the Microsoft Exchange GitHub) to catch configuration drift, disabled services, or leftover mitigation rules that might interfere with normal operation. The script will flag if the patch level is not the expected build.
Known Issues and Community Pain Points
Even with extensive testing, some administrators have reported post-installation glitches:
- ECP and OWA not loading: If the server has custom IIS modules or if the mitigation URL Rewrite rule was applied before the update, the
web.configfile may become misconfigured. Re-apply the rule after the update or delete and recreate the OWA and ECP virtual directories. - Certificate warnings: Exchange Security Updates sometimes reset the Auth Certificate; check the
Auth Certificateobject inMicrosoft Exchange Auth Certificatevirtual directory and re-run the Hybrid Configuration Wizard if necessary. - ESU activation failures: Some ESU customers using Azure Arc report that the ESU license does not get recognized immediately. Running
dsregcmd /statusand verifying the device registration can resolve this.
In a notable thread on the Exchange Tech Community, an MVP reported that the June 2026 patches remove a previously set system.webServer/serverRuntime override in web.config that was required for some third-party security products. Re-adding the override post-patch restored functionality.
Microsoft acknowledged that the update might re-apply default permissions to the Exchange Back End site, potentially breaking applications that rely on custom authentication or anonymous access. A script is provided in the release notes to restore specific permissions.
Broader Context: The Patch Tuesday Landscape
June 2026 constitutes a regular “B-week” Patch Tuesday release for Microsoft. In addition to Exchange, the company addressed over 70 vulnerabilities across the Windows, Office, and Azure product lines. However, CVE-2026-42897 is unequivocally the headline-grabber. The cybersecurity firm DarkTrace reported observing scanning activity targeting OWA endpoints within 24 hours of the advisory going public, though no successful exploits had been confirmed at the time of writing.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch by July 1, 2026. Private sector organizations that handle sensitive data should treat the same deadline as a minimum.
Final Analysis: Act Now, Mitigate If You Must, and Plan Your Migration
The clock is ticking. Exchange servers with OWA open to the internet are the low-hanging fruit, and history shows that unpatched RCE vulnerabilities in Exchange are weaponized swiftly. Patch your servers, in priority order, as soon as business continuity plans allow. If a full update deployment is days away, apply the URL Rewrite mitigation immediately — it takes less than five minutes per server.
For those clinging to Exchange 2016 and 2019: the ESU program is the last line of defense, but it is neither free nor indefinite. Microsoft will stop offering ESUs for Exchange 2016 in January 2028 and for Exchange 2019 in January 2029. That may sound distant, but the effort to upgrade to Exchange Server Subscription Edition or migrate to the cloud will only grow more complex. Start that planning now, while the patches are still flowing.