Skip to Content

What security fixes are in the first Exchange Subscription Edition update?

By: Author Alex Lim

Posted on

Categories Microsoft

Home » Microsoft » What security fixes are in the first Exchange Subscription Edition update?

Critical Advisory: Microsoft Exchange Security Updates (December 2025)

Date of Release: December 9, 2025
Affected Systems: Exchange Server SE, Exchange 2019 (ESU), Exchange 2016 (ESU)

Microsoft has deployed the December 2025 security update. This release is significant for two reasons: it is the inaugural update for the newly launched Exchange Server Subscription Edition (SE), and it solidifies the new support restrictions for legacy versions.

If your organization utilizes Exchange Online, your systems are already protected. No action is required. However, on-premises administrators must review the following details carefully.

The Shift to Extended Security Updates (ESU)

The most urgent aspect of this release involves the support lifecycle for older versions. Standard support for Exchange Server 2016 and 2019 ended in October 2025.

Consequently, the December 2025 Security Updates (SUs) are not publicly available for these versions. You will only receive these patches if your organization has purchased Extended Security Updates (ESU). Without an active ESU contract, your infrastructure remains vulnerable to the threats detailed below.

Recommendation: If you have not secured ESU coverage, you must prioritize migrating to Exchange Server Subscription Edition (SE) immediately to ensure continued security compliance.

Vulnerability Analysis

This update addresses flaws identified through internal audits and third-party reports. While no active exploitation is currently detected, the severity of the flaws warrants immediate patching.

CVE-2025-64666 | Elevation of Privilege

Severity: Important (CVSS 7.5)

Risk: This vulnerability stems from improper input validation. An attacker with authorized access could exploit this flaw to gain higher privileges across the network. While exploitation is considered less likely, the potential impact on system integrity is high.

CVE-2025-64667 | Spoofing Vulnerability

Severity: Important (CVSS 5.3)

Risk: This flaw involves the misrepresentation of data within the Exchange User Interface (UI). An unauthorized attacker could manipulate this information to deceive users or administrators.

Additional Fixes

Beyond security patches, this update resolves a functional defect affecting hybrid environments. Specifically, it fixes integration issues between Exchange Server and Skype for Business Server that occur after enabling the dedicated Exchange hybrid application.

Implementation Strategy

Admins must follow a strict protocol to ensure system stability during this update cycle:

  1. Verify ESU Status: Ensure your Exchange 2016/2019 servers have active ESU licenses.
  2. Install Updates: Apply the SUs to Exchange SE or your ESU-enabled legacy servers.
  3. Run Health Checker: After installation, execute the Exchange Health Checker script to validate the patch status.
  4. Troubleshoot: If the update fails, utilize the SetupAssist script to diagnose and repair installation errors.