Exchange Server SE SU8 has been released

Exchange Server SE SU8 has been released

Hi All,

Today Microsoft has released the Exchange SE SU8

It fixes the following CVEs

  • CVE-2026-55005 - Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2026-55006 - Microsoft Exchange Server Elevation of Privilege Vulnerability
  • CVE-2026-55008 - Microsoft Exchange Server Spoofing Vulnerability
  • CVE-2026-55009 - Microsoft Exchange Server Elevation of Privilege Vulnerability

You can download the Security Update here:

Installation

Bevore starting the Installation, i check if there is a pending reboot with a PowerShell Script i’ve wrote

.\Check-PendingReboot.ps1

After a reboot everything is fine

.\Check-PendingReboot.ps1

Let’s start the Installation

The Installation of the Security Update has successfully completed

Healthchecker

Microsoft recommends to run the HealthChecker after each Installation. The HealthChecker can be downloaded here:

In the first run, the HealthChecker updates the Script

.\HealthChecker.ps1

Now we can run the HealthChecker - nothing worring was found

.\HealthChecker.ps1

There are now some legacy Security Groups that can be deleted

  • Exchange Domain Servers
  • Exchange Enterprise Servers
  • Exchange Recipient Administrators

Exchange Emergency Mitigation Service

Let’s check the Exchange Emergency Mitigation Service

cd $exscripts
.\Get-Mitigations.ps1

Now we need to block the Mitigation first

cd $exscripts
Set-ExchangeServer -Identity ICESRV02 -MitigationsBlocked @("M2.1.0")
.\Get-Mitigations.ps1

Let’s check the web.config before

Copy-Item -Path "$env:ExchangeInstallPath\FrontEnd\HttpProxy\owa\web.config" -Destination "$env:ExchangeInstallPath\FrontEnd\HttpProxy\owa\web.config.$((Get-Date).ToString('yyyyMMdd-HHmmss')).bak"
Remove-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\owa" -Filter "system.webServer/rewrite/outboundRules" -Name "." -AtElement @{name="EEMS M2.1 OWA CSP - outbound"}
Remove-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site\owa" -Filter "system.webServer/rewrite/outboundRules/preConditions" -Name "." -AtElement @{name="EEMS M2.1 OWA SPA HTML shell - precondition"}

Let’s check the web.config after

Let’s check the Mitigations

cd $exscripts
.\Get-Mitigations.ps1

After the next run it looks like this

Happy Exchange patching 😎

Regards
Andres Bohren

Exchange Logo

Security Logo