[German]Microsoft released the "August 2025" security update for Exchange Server on August 12, 2025. The security update applies to Exchange Server 2016, Exchange Server 2019, and, for the first time, Exchange Server Subscription Edition (SE). Exchange Online customers are already protected and are not affected by the update.
Advertising
I became aware of this release through this comment (thanks to the reader for the tip) and the following tweet. Microsoft has published the Tech Community article Released: August 2025 Exchange Server Security Updates.
Security Updates (SUs) are available for the following specific versions of Exchange Server:
The August 2025 SUs address security vulnerabilities reported to Microsoft by third parties and discovered through Microsoft's internal processes in Exchange Server 2016, Exchange Server 2019, and, for the first time, Exchange Server Subscription Edition (SE). According to this website, the following vulnerabilities have been addressed:
- CVE-2025-25005: Tampering Vulnerability; CVSS 3.1 Score 6.5
- CVE-2025-25006: Spoofing Vulnerability; CVSS 3.1 Score 5.3
- CVE-2025-25007: Spoofing Vulnerability; CVSS 3.1 Score 5.3
- CVE-2025-33051: Information Disclosure Vulnerability; CVSS 3.1 Score 7.5
Microsoft rates the exploitability as unlikely. Although Microsoft is not aware of any active exploits, Redmond recommends that customers install these updates immediately to protect their Exchange environment.
Advertising
Exchange Server AMSI body scanning enabled
Starting with the Exchange Server November 2024 Security Update (SU) (see Exchange Server November 2024 Security Update (SU)), Microsoft has expanded AMSI integration with new features for scanning "HTTP message text." This feature is enabled by default for all protocols starting with the installation of the August 2025 Exchange Server Security Update.
If administrators notice reduced performance after installing the August 2025 SU, the AMSI body scan feature can be disabled (see Exchange Server AMSI integration documentation).
Measures and further information
After installing the appropriate security update for Exchange Server, administrators should run Health Checker again to check whether further measures are necessary. If errors occur during or after the installation of Exchange Server, the SetupAssist script must be run. The Techcommunity article Released: August 2025 Exchange Server Security Update also contains information on what to do in case of problems.
The August 2025 security updates also include fixes for the CVE-2025-53786 vulnerability (see Microsoft Exchange Server Hybrid at risk by CVE-2025-53786).
Advertising
