Microsoft shipped its July 2026 security updates on Tuesday, and for on-premises Exchange Server administrators, one patch demands immediate attention. CVE-2026-55005, a heap-based buffer overflow in Exchange, lets an attacker with a low‑privilege Active Directory account — a standard mailbox user will do — execute code remotely on the server with no user interaction. The vulnerability carries an 8.8 CVSS score and an ‘Important’ severity label, but that rating shouldn’t lull anyone into delaying deployment.

The company disclosed the flaw as part of its regular Patch Tuesday release. Fixes are available for every supported Exchange branch, although the path to obtaining those fixes diverges sharply depending on which version you run.

The Flaw: A Heap Overflow Open to Any Logged‑In User

CVE-2026-55005 is a classic memory‑corruption bug. Microsoft classifies it under CWE‑122, a heap‑based buffer overflow. In practice, that means specially crafted network traffic can overwrite memory in a way that allows the attacker to run arbitrary code on the Exchange server. The CVSS vector — AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H — tells the story: network‑reachable, low complexity, low privileges required, no user interaction, and a complete compromise of confidentiality, integrity, and availability.

The crucial detail is the authentication requirement. This isn’t the unauthenticated, wormable scenario that kept Exchange teams up at night during the ProxyLogon era. But the barrier is perilously low. Attackers already have well‑oiled pipelines for acquiring usable credentials: password spraying, infostealer logs, phishing, credential reuse, help‑desk social engineering, and compromising synchronized cloud identities. Once an adversary plants a single mailbox password on an affected server, CVE‑2026-55005 can turn that foothold into full control of the messaging system — and potentially a launchpad into the rest of the network.

At publication time, Microsoft reported no evidence of public disclosure or active exploitation. That’s a snapshot, not a promise. Patch diffing — where attackers compare updated and unpatched binaries to find the exact change — makes it almost certain that proof‑of‑concept code will surface soon.

Affected Versions and Fixed Builds

Four servicing branches are in scope, and each has a specific minimum build that closes the hole:

Exchange Version Build Before Fix Minimum Build After Fix
Exchange Server 2016 CU23 Earlier than 15.1.2507.71 15.1.2507.71
Exchange Server 2019 CU14 Earlier than 15.2.1544.43 15.2.1544.43
Exchange Server 2019 CU15 Earlier than 15.2.1748.48 15.2.1748.48
Exchange Server Subscription Edition RTM Earlier than 15.2.2562.45 15.2.2562.45

Administrators should verify the installed build directly rather than trust that Windows Update or a deployment tool has done its job. An interrupted installation can leave services running but binaries at a mixed version, still vulnerable. Run Get‑ExchangeServer | Format‑List Name, AdminDisplayVersion to confirm.

Exchange Online customers are already protected — the service is patched on Microsoft’s side. Hybrid organizations, however, must not ignore the on‑premises servers. Moving mailboxes to the cloud does not uninstall Exchange; those servers remain live and exploitable.

Why This Matters Even Without an Anonymous Entrypoint

The ‘Important’ rating has occasionally misled administrators into scheduling the update alongside less critical changes. That would be a mistake. A single compromised credential is an everyday event in enterprise security, and this vulnerability converts that event into a server takeover.

Consider the typical attack sequence:
1. An attacker obtains a low‑privilege user’s password through phishing or spraying.
2. They authenticate to the Exchange server over the network — perhaps to an under‑protected web endpoint like Exchange Web Services or the Exchange Control Panel.
3. They trigger the heap overflow and execute code with the privileges of the Exchange service account, which is often highly privileged on the local machine and in Active Directory.

From there, the attacker can exfiltrate mailboxes, install persistent backdoors, harvest credentials for lateral movement, or deploy ransomware. The server that manages your organization’s most sensitive communications becomes the attacker’s beachhead.

So the patch matters even for internal‑only Exchange servers that sit behind a firewall. An attacker who already controls a workstation or an account inside the perimeter can reach internal services without traversing the internet. And the flood of credential‑theft incidents means that low‑privilege logins are never safe to dismiss.

The Support Divide: ESU vs. Subscription Edition

Here is where the update process splits based on your licensing posture.

  • Exchange Server Subscription Edition is the current on‑premises branch and receives security updates through the usual Microsoft Update Catalog or Windows Server Update Services. Deploy the July 2026 update as you normally would.
  • Exchange Server 2016 and Exchange Server 2019 exited mainstream support on October 14, 2025. Their security updates are now available only through the Extended Security Update (ESU) program, and only if you have active ESU licenses for Period 2 (the second year of extended coverage). Without an ESU entitlement, you cannot legally obtain the July patch for these versions. Your server will remain exposed.

Organizations caught in this gap have a stark choice: migrate to Exchange Server Subscription Edition, move all mailboxes to Exchange Online and decommission the on‑premises server, or purchase the necessary ESU licenses. The ESU route buys time but is not a long‑term strategy; Period 2 ESU ends in October 2026 for Exchange 2016 and October 2027 for Exchange 2019.

What to Do Right Now

Start with a thorough inventory of every Exchange server in your estate — production, disaster recovery, edge transport, management tools workstations. Check each server’s build number and note which servicing branch it’s on.

For servers that can receive the update:
1. Download the correct July 2026 security update for your build. For Subscription Edition, use the Microsoft Update Catalog. For ESU‑enrolled 2016/2019 servers, obtain the update through the Volume Licensing Service Center or your usual ESU delivery method.
2. Deploy from an elevated command prompt. Always run Exchange cumulative and security updates with elevated privileges, not just double‑clicking the installer. Plan for service interruption — Exchange services will restart, and client access will drop briefly.
3. Verify the build after installation. Check the AdminDisplayVersion again and confirm it matches the minimum listed above.
4. Run the Exchange Server Health Checker script to spot any configuration drift or issues introduced by the update.
5. Test mail flow, client access, and any third‑party integrations. Pay special attention to Office Online Server (OOS) integration; Microsoft warns that mixed‑version OOS environments can behave unpredictably, so update all Exchange servers in a cluster in a coordinated window.

For servers that can’t be updated immediately (those lacking ESU or awaiting a migration window):
- Restrict external access to Exchange web endpoints. Disable Outlook on the web, Exchange Web Services, and Exchange Control Panel for internet‑facing interfaces if possible.
- Enforce multifactor authentication on any remaining external access methods.
- Tighten account protections: enable smart lockout or account lockout policies, audit for stale or over‑privileged accounts, and disable unused mailboxes.
- Increase monitoring for anomalous authentication patterns. Look for repeated failed logins, unusual source IP addresses, PowerShell activity from low‑privilege accounts, and new mailbox delegation permissions.

Additionally, confirm that your Exchange servers have the June 2026 security update (or later) already deployed. Microsoft introduced an issuer‑validation change in June that affects the Exchange Emergency Mitigation and Feature Flighting services. Without the June update, your servers can’t consume new mitigation configuration files issued after July 2026, leaving you blind to future emergency protections.

The Bigger Picture: Patch Hygiene and the Road Ahead

CVE-2026-55005 is not the first authenticated‑only RCE in Exchange, and it won’t be the last. But it lands at a moment when the product’s support lifecycle is forcing hard decisions. For every month that an organization delays patching, the risk climbs — not just from this vulnerability, but from the eventual availability of exploit code, which will be diffed from the July update in short order.

Microsoft has confirmed the vulnerability and published a fix, giving the advisory its strongest confidence rating. That doesn’t mean exploit code is public now; it means the flaw is no longer theoretical. Once the technical details inevitably surface, unpatched servers become low‑hanging fruit scanning services will pick up immediately.

Take the time today to check your Exchange build numbers, line up the update, and map out a patch window. Because when a single stolen password is all an attacker needs to own your mail server, leaving the door open for a few more days is a risk no organization should accept.