Table of Contents
Is Your Exchange Server Exposed? Critical February 2026 Security Patch Guide
On February 10, 2026, Microsoft released critical security updates for Exchange Server Subscription Edition (SE), Exchange Server 2019, and Exchange Server 2016 to address spoofing and elevation of privilege vulnerabilities. Administrators managing on-premises environments must apply these patches immediately, whereas Exchange Online environments remain unaffected and secure.
February 2026 Update Overview
Microsoft formally released the February 2026 Security Update (SU) on February 10, targeting vulnerabilities in Exchange Server 2016, 2019, and the newer Subscription Edition (SE). These updates address security flaws reported through third-party disclosures and internal investigations.
The specific updates apply to the following versions:
- Exchange Server SE RTM: SU5 (KB5074992)
- Exchange Server 2019: CU14 and CU15
- Exchange Server 2016: CU23
It is crucial to note that the updates for Exchange 2016 and 2019 are accessible exclusively to organizations enrolled in the Extended Security Update (ESU) program, as standard support for these versions ended in 2025.
Technical Vulnerability Analysis
The February 2026 patch addresses specific vulnerabilities that compromise the integrity of the Exchange environment.
CVE-2026-21527: Spoofing Vulnerability
This vulnerability allows unauthorized attackers to perform spoofing attacks across a network by exploiting a misrepresentation of critical information within the user interface. The Common Vulnerability Scoring System (CVSS) rates this at 6.5 (Important). While attackers can view or modify sensitive information, they cannot restrict resource availability.
CVE-2025-64666: Elevation of Privilege
In addition to the spoofing flaw, this update resolves a critical Elevation of Privilege vulnerability (CVSS 7.5). This flaw could allow an authenticated attacker with low-level privileges to gain administrative control over the Exchange infrastructure.
Extended Security Update (ESU) Requirements
Administrators must recognize that standard support for Exchange Server 2016 and 2019 has ceased. The October 2025 updates were the final public releases for these legacy versions. Consequently, the February 2026 patches for 2016 and 2019 are only available to customers who have purchased Extended Security Updates.
This ESU program is a temporary bridge, scheduled to conclude in April 2026. Organizations utilizing these legacy servers without ESU are currently exposed to known threats. Microsoft strongly advises migrating to Exchange Server Subscription Edition (SE) or Exchange Online to ensure continued compliance and security.
Implementation and Verification
Deployment of these updates requires careful sequencing to avoid disrupting hybrid configurations. Administrators should execute the Exchange Server Health Checker immediately after installation to validate the patch status. If installation errors arise, the SetupAssist script provides automated troubleshooting capabilities to resolve common configuration conflicts.
Exchange Online customers require no action, as the platform automatically mitigates these vulnerabilities. However, organizations with hybrid environments must still patch their on-premises management servers and workstations to prevent security gaps.