Microsoft has released its February 2026 security updates for Exchange Server, addressing a critical elevation of privilege vulnerability that affects multiple versions of the platform. The updates are available for Exchange Server Subscription Edition (SE) as well as legacy versions through the Extended Security Updates (ESU) program.

Affected Exchange Server Versions

The February 2026 security updates are available for the following Exchange Server versions:​

  • Exchange Server Subscription Edition (SE) – KB5074992
  • Exchange Server 2019 CU14 and CU15 – Available through ESU enrollment
  • Exchange Server 2016 CU23 – Available through ESU enrollment

Organizations running Exchange Server 2016 or 2019 must be enrolled in Microsoft’s Extended Security Updates program to access these critical patches. The ESU program was announced in July 2025 as a 6-month extension for customers who haven’t completed their migration to newer Exchange versions.

Reading our article? Try our product:

360 Protection for Windows Servers - Zero-Risk Trial

CVE-2026-21527

CVE-2026-21527 is a spoofing vulnerability affecting Microsoft Exchange Server that stems from user interface (UI) misrepresentation of critical information. Classified under CWE-345 (Insufficient Verification of Data Authenticity), this flaw allows unauthorized attackers to manipulate how information is displayed within the Exchange Server interface without requiring any authentication or user interaction. The vulnerability affects Microsoft Exchange Server 2016 Cumulative Update 23, Exchange Server 2019 Cumulative Updates 14 and 15, and the Exchange Server Subscription Edition.

With a CVSS score of 6.5 and rated as medium severity, CVE-2026-21527 enables network-based attackers to perform spoofing attacks that compromise the confidentiality and integrity of email communications. The low attack complexity and absence of required privileges make this vulnerability relatively easy to exploit, allowing attackers to deceive users by presenting malicious content as legitimate, spoofing sender information, or displaying falsified interface elements.

Exchange 2016 and 2019 updates are available only under the ESU program

Exchange Server 2016 and 2019 are out of support.

Customers who enrolled in the Extended Security Update (ESU) program are eligible to receive the February 2025 security updates for Exchange Server 2016 and 2019.

If you are not part of the ESU program, migrate to Exchange Server Subscription Edition (SE) to keep receiving the latest security updates.

Fortify Your Server with Messageware Security

Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.

Server Threat Guard (STG) for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. No need to research complicated deployments and no learning curve to install and manage.

EPG Guard for Exchange Servers: Real-time security. Stop AD account lockouts, eliminate password attacks, intelligent GEO blocking, and prevent Exchange Server vulnerability probing.

Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.