Microsoft has issued crucial security updates for Exchange Server, addressing multiple vulnerabilities across Exchange Server Subscription Edition (SE), Exchange Server 2019, and Exchange Server 2016. The December 2025 security updates patch several critical flaws, including CVE-2025-64666, an elevation of privilege vulnerability, and CVE-2025-64667, a spoofing vulnerability.

SUs are available for the following specific versions of Exchange Server:

  • Exchange SE RTM
  • Exchange Server 2019 CU14 and CU15 (to access, enroll into the ESU program)
  • Exchange Server 2016 CU23 (to access, enroll into the ESU program)

Key Vulnerabilities

Addressed The December 2025 updates resolve two primary Exchange Server vulnerabilities that pose significant risks to organizations running on-premises deployments.

CVE-2025-64666 is a high-severity elevation of privilege vulnerability with a CVSS score of 7.5. This flaw stems from improper input validation in Exchange Server, allowing an authenticated low-privilege user to escalate their permissions to administrator rights over the network. The vulnerability affects Exchange Server Subscription Edition RTM, Exchange Server 2019 CU14 and CU15, and Exchange Server 2016 CU23.

CVE-2025-64667 represents a spoofing vulnerability affecting the same Exchange Server versions. While Microsoft currently assesses the likelihood of exploitation as “less likely” for CVE-2025-64666, the company recommends immediate installation of these updates to protect environments, even though no active exploits have been observed in the wild.

ESU Program Required for Exchange 2019 and 2016

Exchange Server 2016 and 2019 reached end of support in October 2025, making them ineligible for regular security updates. Organizations running these versions must enroll in the Extended Security Update (ESU) program to access the December 2025 security patches.

The ESU program provides a six-month extension through April 2026, offering Critical and Important security updates for customers who haven’t yet migrated to Exchange Server Subscription Edition. Organizations not enrolled in the ESU program should migrate to Exchange Server Subscription Edition immediately to maintain security coverage.

Full release details: https://techcommunity.microsoft.com/blog/exchange/released-december-2025-exchange-server-security-updates/4474949

Fortify Your Server with Messageware Security

Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.

Z-Day Guard for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. Leverages embedded monitoring technology that cannot be turned off by malicious software. No need to research complicated deployments and no learning curve to install and manage.

EPG Guard for Exchange Servers: Real-time security. Stop AD account lockouts, eliminate password attacks, intelligent GEO blocking, and prevent Exchange Server vulnerability probing.

Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.