[German]Microsoft released the "October 2025" security update for Exchange Server on October 14, 2025. The security update applies to Exchange Server 2016, Exchange Server 2019, and, for the first time, Exchange Server Subscription Edition (SE). Exchange Online customers are already protected and are not affected by the update.
I became aware of the release via a comment in the discussion forum (thanks to the reader for the tip) and a subsequent tweet. Microsoft has published a Tech Community article Released: October 2025 Exchange Server Security Updates on this topic.
Security Updates (SUs) are available for the following specific versions of Exchange Server:
The October 2025 SUs address security vulnerabilities reported to Microsoft by third parties and discovered through Microsoft's internal processes in Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE). According to this website, the following vulnerabilities have been addressed:
- CVE-2025-53782: Server Elevation of Privilege Vulnerability; CVSS 3.1 Score 7.3
- CVE-2025-59248: Spoofing Vulnerability; CVSS 3.1 Score 7.5
- CVE-2025-59249: Server Elevation of Privilege Vulnerability; CVSS 3.1 Score 7.7
Although Microsoft is not aware of any active exploits, Redmond recommends that customers install these updates immediately to protect their Exchange environment. Exchange Online customers are already protected against the vulnerabilities addressed in these SUs and do not need to take any further action other than updating the Exchange servers or Exchange Management Tools workstations in their environment.
Last patches for Exchange Server 2016/2019
The SUs from October 2025 are the last publicly available SUs for Exchange Server 2016 and 2019. After this date, only customers who have contacted their Microsoft customer team to obtain the Extended Security Update (ESU) for these versions will receive new SUs, which we may release until April 2026 for Exchange 2016 and 2019. Microsoft recommends that users of these Exchange versions upgrade to Exchange SE.
Exporting authentication certificates no longer possible
Starting with the October 2025 SU, exporting the Exchange Server authentication certificate and its private key with Export-ExchangeCertificate will be blocked for security reasons (for more information, see KB5069337).
Measures and further information
After installing the appropriate security update for Exchange Server, administrators should run Health Checker again to check whether further measures are necessary. If errors occur during or after the installation of Exchange Server, run the SetupAssist script. The TechCommunity article Released: October 2025 Exchange Server Security Updates also contains information on what to do if problems arise.
