September 2025 Exchange Server Hotfix Updates Released

Microsoft has released the September 2025 Hotfix Updates (HUs) for Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE). These non-security updates address specific issues in earlier releases and include continued support for the dedicated Exchange hybrid app functionality.

HUs are available for the following specific versions of Exchange Server:

• Exchange Server 2016 CU23

• Exchange SE RTM

• Exchange Server 2019 CU14 and CU15

What’s in the September 2025 HUs

• Non-security hotfix updates for Exchange Server 2016, 2019, and SE, available for supported CUs, addressing specific deployment scenarios that some organizations encountered.
• Dedicated Exchange hybrid app support continues from the April 2025 HU announcement, providing organizations with the tools needed to migrate away from legacy shared service principal configurations.
• Cumulative update structure means these HUs contain all previous fixes and features from earlier Security Updates and Hotfix Updates, allowing direct installation without requiring sequential updates.

Reminder: Dedicated Exchange Hybrid Application support

Since Exchange updates are cumulative, September 2025 HUs include support for creation of the dedicated Exchange hybrid app originally announced during April 2025 HU release. Please see the post Dedicated Hybrid App: temporary enforcements, new HCW and possible hybrid functionality disruptions to evaluate action appropriate for your organization. Check the feature documentation (including the FAQ).

Key Considerations for Hybrid Environments

• Dedicated hybrid app transition remains critical for organizations using Exchange hybrid deployments, as this addresses CVE-2025-53786 and prepares for permanent EWS blocking of the shared service principal after October 31, 2025.
• Cumulative nature of Exchange updates means installing the September 2025 HU provides all security protections and features from previous updates, making it suitable for organizations that haven’t yet applied recent Security Updates.
• Optional but beneficial deployment – while these are non-security updates, they may introduce features or fixes that benefit specific organizational scenarios, particularly those involving hybrid configurations.

Installation and Deployment

Microsoft provides multiple installation paths for the September 2025 HUs:

• Exchange Server Health Checker script to inventory current update status and identify which servers need updates
• Exchange Update Wizard for guided upgrade paths between Cumulative Updates
• Windows Update integration following organizational Windows Update deployment policies
• SetupAssist script for troubleshooting installation issues if they occur

Required Actions

• Install the September 2025 HU on all Exchange servers and workstations with Exchange Management Tools to maintain compatibility and access to the latest fixes.
• Complete dedicated hybrid app migration if running hybrid Exchange environments, following Microsoft’s configuration guidance to address CVE-2025-53786.
• Re-run Health Checker after installation to verify successful deployment and identify any additional actions needed.
• Review hybrid functionality if authentication certificates are changed post-installation, as this may require re-running the Hybrid Configuration Wizard.

Notes and FAQs

• Are September 2025 HUs cumulative? Yes—install the latest HU applicable to your supported CU; no need to chain previous updates.
• Can Hotfix Updates be uninstalled? Yes, HUs can be uninstalled if needed, similar to Security Updates.
• Will features be included in future updates? Content from this HU will be included in subsequent Exchange Server updates, so future updates will incorporate these fixes automatically.
• Do Exchange Online-only tenants need action? Exchange Online environments don’t require these updates, but any on-premises Exchange servers should be updated.

Fortify Your Server with Messageware Security

Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.

Z-Day Guard for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. Leverages embedded monitoring technology that cannot be turned off by malicious software. No need to research complicated deployments and no learning curve to install and manage.

EPG Guard for Exchange Servers: Real-time security. Stop AD account lockouts, eliminate password attacks, intelligent GEO blocking, and prevent Exchange Server vulnerability probing.

Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.