Exchange Server SE SU8 has been released
Hi All,
Today Microsoft has released the Exchange SE SU8
- Exchange Team Blog Released: July 2026 Exchange Server Security Updates
- Description of the security update for Microsoft Exchange Server Subscription Edition RTM: June 09, 2026 (KB5094139)
It fixes the following CVEs
- CVE-2026-55005 - Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2026-55006 - Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2026-55008 - Microsoft Exchange Server Spoofing Vulnerability
- CVE-2026-55009 - Microsoft Exchange Server Elevation of Privilege Vulnerability
You can download the Security Update here:
Installation
Bevore starting the Installation, i check if there is a pending reboot with a PowerShell Script i’ve wrote
.\Check-PendingReboot.ps1
After a reboot everything is fine
.\Check-PendingReboot.ps1
Let’s start the Installation
The Installation of the Security Update has successfully completed
Healthchecker
Microsoft recommends to run the HealthChecker after each Installation. The HealthChecker can be downloaded here:
In the first run, the HealthChecker updates the Script
.\HealthChecker.ps1
Now we can run the HealthChecker - nothing worring was found
.\HealthChecker.ps1
There are now some legacy Security Groups that can be deleted
- Exchange Domain Servers
- Exchange Enterprise Servers
- Exchange Recipient Administrators
Exchange Emergency Mitigation Service
Let’s check the Exchange Emergency Mitigation Service
cd $exscripts
.\Get-Mitigations.ps1
Now we need to block the Mitigation first
cd $exscripts
Set-ExchangeServer -Identity ICESRV02 -MitigationsBlocked @("M2.1.0")
.\Get-Mitigations.ps1
Let’s check the web.config before
Copy-Item -Path "$env:ExchangeInstallPath\FrontEnd\HttpProxy\owa\web.config" -Destination "$env:ExchangeInstallPath\FrontEnd\HttpProxy\owa\web.config.$((Get-Date).ToString('yyyyMMdd-HHmmss')).bak"
Remove-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\owa" -Filter "system.webServer/rewrite/outboundRules" -Name "." -AtElement @{name="EEMS M2.1 OWA CSP - outbound"}
Remove-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\owa" -Filter "system.webServer/rewrite/outboundRules/preConditions" -Name "." -AtElement @{name="EEMS M2.1 OWA SPA HTML shell - precondition"}
Let’s check the web.config after
Let’s check the Mitigations
cd $exscripts
.\Get-Mitigations.ps1
After the next run it looks like this
Happy Exchange patching 😎
Regards
Andres Bohren























