Microsoft has announced that no Exchange Server security updates will be released in May 2026. This covers every currently supported version of Exchange Server, including those participating in the Extended Security Update (ESU) program.

Both the ESU program and Exchange security updates more broadly follow an as-needed model — patches are issued only when the Microsoft Security Response Center (MSRC) identifies and confirms a qualifying Critical or Important vulnerability. When no such vulnerabilities have been found or need urgent remediation, no update is published.

Reading our article? Try our product:

360 Protection for Windows Servers - Zero-Risk Trial

What You Should Do

The lack of an May update does not mean your Exchange environment requires less attention. Recommended actions for administrators include:

  • Maintain your current patch level — Ensure your Exchange servers are running on the latest previously released cumulative or security update.
  • Monitor Microsoft’s Exchange blog — Updates are announced promptly when available; subscribe to stay informed.
  • Continue migration planning — If you are on Exchange 2016 or 2019, use this window productively to advance your migration to Exchange Server Subscription Edition (SE).
  • Review your security posture — No new patch does not mean no new threats; ensure your perimeter and internal controls remain strong.

ESU Program Reminder

For organizations enrolled in the Period 2 ESU program (May–October 2026), this month’s non-release is a reminder that ESU updates are not guaranteed on a monthly cadence. Microsoft will only push updates when a valid security event warrants it. Plan your compliance and audit cycles accordingly.

Fortify Your Server with Messageware Security

Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.

Server Threat Guard (STG) for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. No need to research complicated deployments and no learning curve to install and manage.

EPG Guard for Exchange Servers: Real-time security. Stop AD account lockouts, eliminate password attacks, intelligent GEO blocking, and prevent Exchange Server vulnerability probing.

Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.