Microsoft has released February 2026 Security Updates for Exchange Server Subscription Edition, Exchange Server 2019, and Exchange Server 2016, addressing critical vulnerabilities that require immediate installation to protect on-premises environments.
Microsoft has released Security Updates (SUs) for vulnerabilities found in: Exchange Server Subscription Edition (SE) Exchange Server 2019 Exchange Server 2016 SUs are available for the following specific versions of Exchange Server: Exchange SE RTM Exchange Server 2019 CU14 and CU15 (to access, you must be enrolled into the ESU program) Exchange Server 2016 CU23 (to access, you must be enrolled into the ESU program) The February 2026 SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft's internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to immediately install these updates to protect your environment.
These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed by these SUs and do not need to take any action other than updating any Exchange servers or Exchange Management tools workstations in their environment. More details about specific CVEs can be found in the Security Update Guide (filter on 'Server Software' under Product Family for Exchange SE and 'ESU' under Product Family for Exchange 2016 and 2019).
Exchange 2016 and 2019 Updates Available Only Through ESU Program
Exchange Server 2016 and 2019 are out of support. Customers who enrolled in the Extended Security Update (ESU) program are eligible to receive the February 2025 security updates for Exchange Server 2016 and 2019. If you are not part of the ESU program, migrate to Exchange Server Subscription Edition (SE) to keep receiving the latest security updates.
If you have already purchased the ESU and need information on accessing the latest Security Updates, please contact us by sending an email to [email protected].
Update Installation Process
The following update paths are available:
- Inventory your Exchange Servers to determine which updates are needed using the Exchange Server Health Checker script. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs, SUs, or manual actions).
- Install the latest CU. Use the Exchange Update Wizard to choose your current CU and your target CU to get directions.
- Re-run the Health Checker after you install an update to see if any further actions are needed.
- If you encounter errors during or after installation of Exchange Server, run the SetupAssist script.
- If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates. Also please see File version error when you try to install Exchange Server updates.
Frequently Asked Questions
Our organization is in Hybrid mode with Exchange Online. Do we need to do anything? Exchange Online is already protected, but this SU needs to be installed on your Exchange servers, even if they are used only for management purposes. If you change the auth certificate after installing an SU, you should re-run the Hybrid Configuration Wizard.
The last SU/HU we installed is a few months old. Do we need to install all SUs in order to install the latest one?
SUs are cumulative. If you are running a CU supported by the SU, you do not need to install all SUs or HUs in sequential order; simply install the latest SU. Please see this blog post for more information.
Do we need to install SUs on all Exchange Servers within our organization? What about 'Management Tools only' machines?
Our recommendation is to install SUs on all Exchange Servers and all servers and workstations running the Exchange Management Tools to ensure compatibility between management tools clients and servers. If you are trying to update the Exchange Management Tools in the environment with no running Exchange servers, please see this.
Our organization does not have the Exchange 2016 and 2019 ESU. How can we get current Exchange 2016 or 2019 updates?
Since Exchange 2016 and 2019 are now out of support, only customers who have enrolled into the ESU program (which is valid until April 2026) can obtain Exchange 2016 or 2019 updates released under the ESU. For all customers still running Exchange 2016 or 2019, we recommend that you upgrade your organization to Exchange SE as soon as possible.
Documentation may not be fully available at the time this post is published. This post might receive future updates; they will be listed here (if available).
The Exchange Server Team Updated Feb 10, 2026 VERSION 1.0 ADMINISTRATION ANNOUNCEMENTS DEPLOYMENT EXCHANGE 2016 EXCHANGE 2019 EXCHANGE SE ON PREMISES SECURITY SETUP
Like 1 Comment
The_Exchange_Team Platinum Contributor Joined April 19, 2019 View Profile Exchange Team Blog You Had Me at EHLO.
Comments
Please log in or register to join the discussion