Microsoft will not release security updates for Exchange Server this month, the company confirmed on May 12, 2026—the date that would typically mark Patch Tuesday for the collaboration platform. The pause affects all supported Exchange versions: the modern Exchange Server Subscription Edition (Exchange SE) and legacy Exchange Server 2016 and 2019 deployments that are still receiving patches through Extended Security Updates (ESU).

For IT administrators who have grown accustomed to the second-Tuesday ritual, the news lands with a mix of relief and unease. A month without an update means no frantic patching cycle, no late-night maintenance windows, and no rushed change control boards. But it also upends the predictable cadence that security teams rely on to safeguard their environments. The announcement arrives amid a broader transformation in how Microsoft delivers updates for its on-premises server products, with Exchange SE’s subscription model and the eventual sunset of ESUs reshaping the landscape.

What happened

On May 12, 2026, Microsoft posted a brief notice to the Exchange Team Blog and updated its Security Update Guide (SUG) with a simple message: there are no security updates for Exchange Server this month. The statement is short, direct, and deliberately unadorned:

  • No Common Vulnerabilities and Exposures (CVEs) targeting Exchange Server have been resolved this month.
  • No new security patches are available for Exchange Server Subscription Edition.
  • No security updates are being shipped for Exchange Server 2016 or Exchange Server 2019 customers with active ESU licenses.

This is not a postponement or a quality issue—it’s a deliberate decision because the eligibility bar for a Patch Tuesday security release was not met. The company’s engineering teams found no vulnerabilities in Exchange that required immediate mitigation, or the vulnerabilities that did exist were not yet ready for responsible disclosure.

It’s the first time since at least the early 2020s that an entire month has gone by without any Exchange security update. The Exchange product group has historically maintained a steady drumbeat, often bundling fixes for multiple CVEs each month, even if none are being actively exploited. A zero-CVE month is unusual and worth understanding in depth.

Why is there no update?

Microsoft’s criteria for shipping a security update are not publicly documented in granular detail, but the general principle is clear: an update is warranted only when a vulnerability has been verified, severity assessed, and a fix developed, tested, and cleared for release. Several factors likely converged to create this May hiatus:

  1. No critical or important CVEs qualified. The most straightforward explanation is that Microsoft’s security researchers and external reporters did not discover any new vulnerabilities that met the bar for an out-of-band or monthly release. This can happen when the attack surface is stable and code maturity is high.
  2. Ongoing investigations. It’s entirely possible that potential vulnerabilities are under investigation but have not yet been validated or assigned a CVE. In such cases, Microsoft follows coordinated vulnerability disclosure (CVD) practices, which can delay public patches.
  3. Shift in engineering priorities. The Exchange team is actively developing future releases, migrating features to Exchange SE, and working on the next generation of hybrid and on-premises capabilities. Some months, the engineering cycles simply don’t align with a security release.
  4. Cadence adjustments. With Exchange SE moving to a subscription-based model, some observers have speculated that Microsoft might eventually move away from monthly security updates in favor of quarterly or adaptive cycles. The company has not announced such a change, but this quiet month fuels that speculation.

Regardless of the exact cause, the key point is that the absence of patches is not a sign of neglect. The last several years have seen enormous investments in Exchange Server security—from the Security Update Validation Program (SUVP) and the introduction of the Exchange Emergency Mitigation service (EEMS) to the modernized update architecture in Exchange SE.

Who is affected

The no-update announcement applies to the following on-premises Exchange deployments:

  • Exchange Server Subscription Edition (Exchange SE): Customers who run the latest cumulative update of Exchange SE on Windows Server. SE is the go-forward product, delivered through a periodic servicing model tied to an active subscription.
  • Exchange Server 2019 with Extended Security Updates (ESU): Environments that have enrolled in the paid ESU program to continue receiving security patches after mainstream support ended in April 2024. ESU is available until April 10, 2029.
  • Exchange Server 2016 with Extended Security Updates (ESU): Deployments that purchased ESU coverage for Exchange 2016, whose extended support ended on October 14, 2025. These customers rely on ESU for any security fixes.

If you are running Exchange Server 2019 or 2016 without an active ESU license, you have not been receiving security updates for some time. For those environments, this news is a moot point—you are already operating outside of Microsoft’s supported boundaries. However, the lack of new CVEs does not change the risk posture for unsupported servers; they remain exposed to existing, unpatched vulnerabilities that accumulate over time.

Cloud-based Exchange services (Exchange Online, Microsoft 365) are not affected by this announcement. The Exchange Online ecosystem follows its own servicing model and receives continuous, platform-level protections that are separate from the on-premises update process.

What this means for IT administrators

A month without a security update creates a temporary operational vacuum. Here’s what admins should do right now:

  • Pause, but don’t abandon your patching process. Even without a new CVE-directed fix, this is a good opportunity to review your environment for compliance with previously released updates. Verify that all servers are running the latest supported build. For Exchange SE, that means the most recent cumulative update; for 2019 and 2016 ESU customers, it means the latest update rollup.
  • Revisit your emergency mitigation strategy. The Exchange Emergency Mitigation service (EEMS) is still active and may deliver interim mitigations for any vulnerability that emerges between official patches. Ensure EEMS is enabled and configured correctly. If you haven’t deployed it yet, now is the time.
  • Conduct a security posture review. Use the break to run the Microsoft Exchange Health Checker script (available on GitHub) and review the output for common misconfigurations. Check for disabled or outdated authentication protocols, unnecessary services, and exposed endpoints.
  • Reassess your update testing environment. If you’ve been struggling to keep up with back-to-back updates, use this month to refine your test procedures. Validate that your lab environment mirrors production, automate your patch deployment with tools like Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager, and document rollback plans.
  • Communicate clearly with stakeholders. Business leaders may hear “no update” and assume the risk is lower. Remind them that extant vulnerabilities remain active and that threat actors often target unpatched Exchange servers. A single skipped month does not reduce the urgency of eventual patching.
  • Plan for cumulative update rollups. Exchange SE releases cumulative updates on a predictable schedule (often quarterly). If a security fix is ready after Patch Tuesday, it may be bundled into the next cumulative update. Be prepared for a potentially larger-than-usual update in June or July.

The Patch Tuesday context

Patch Tuesday, the second Tuesday of each month, has been the cornerstone of Microsoft’s update rhythm since 2003. For Exchange, it usually means a mix of security updates, often critical, sometimes accompanied by known issues or required registry keys. The May 2026 gap is a departure from a long-standing pattern.

Historically, Exchange has rarely seen a month with zero security updates. Even in relatively quiet periods, Microsoft will issue a “defense-in-depth” update or a non-security hotfix. The last notable stretch without Exchange CVEs might have been in 2022, but even then, security-in-depth updates were common. This complete absence is a reminder that the security landscape for on-premises Exchange has matured considerably. The combination of strict development practices, proactive threat intelligence, and architectural hardening (such as the removal of Unified Messaging and legacy components in Exchange SE) has narrowed the attack surface.

Yet, it would be a mistake to interpret this quiet month as a signal that Exchange is somehow immune. Ransomware operators and nation-state actors continue to target on-premises Exchange servers because they are often the gateway to an organization’s entire identity system. The absence of new patches does not mean new exploitation techniques won’t appear. Administrators must remain vigilant.

Extended Security Updates and the subscription shift

The no-update announcement underscores the evolving support landscape for Exchange Server. ESU was introduced as a bridge for organizations that could not migrate to Exchange Online or Exchange SE before mainstream support ended. The program provides security updates only—no new features, no technical support beyond the activated key, and no bug fixes except those categorized as security.

With Exchange 2016’s extended support now fully expired, only customers who purchased ESU for that version are still in the loop. Exchange 2019’s ESU window runs until 2029, giving organizations a longer runway. However, Microsoft has been clear that ESU is a temporary measure. Exchange SE, with its subscription model, is designed to deliver continuous value, with feature updates, security fixes, and support all tied to an active subscription. Admins on ESU should be actively planning their migration to Exchange SE before the 2029 cutoff.

For Exchange SE subscribers, this month’s non-event is a glimpse of what a mature, well-maintained subscription service can look like: consistent updates when needed, quiet periods when not. But it also raises a question: if updates become less frequent, will the perceived value of the subscription decline? Microsoft will need to balance the reality of a reduced CVE count with the promise of continuous improvement that a subscription model implies.

What’s next for Exchange Server security

Microsoft has not published a forward-looking security roadmap for Exchange Server, but several trends are discernible:

  • Increased reliance on automated mitigations. The Exchange Emergency Mitigation service, available for Exchange 2019 and SE, will likely become the first line of defense, applying temporary protections within hours of a vulnerability being discovered, long before a traditional patch ships.
  • Hardening by default. Exchange SE ships with features like Extended Protection, modern authentication, and stricter attachment handling enabled out of the box. As these become the norm, the pool of exploitable misconfigurations shrinks naturally.
  • Risk-based patching. Microsoft has invested heavily in its Security Update Guide’s machine-readable data and the Common Vulnerability Scoring System (CVSS) v4. Organizations are increasingly using these to prioritize patches based on actual risk, rather than blindly deploying everything. A month with no CVEs simply means the priority queue is empty.
  • Hybrid dependency. Many on-premises Exchange servers exist solely as management tools for Exchange Online hybrid configurations. Microsoft’s guidance for these scenarios continues to evolve, and future updates may further reduce the complexity—and the attack surface—of hybrid management servers.

If nothing else, the May 2026 gap is a chance for the industry to reflect on almost a decade of intense Exchange security incidents. From the Hafnium zero-days in 2021 to the ProxyNotShell vulnerabilities of 2022, Exchange has been a high-value target. The quiet month may be a sign that the investments are finally paying off—or it may simply be the eye of the storm.

Final thoughts for admins

The May 2026 no-update announcement is not a call to relax. Use this unscheduled breathing room to tighten controls, validate backups, test your disaster recovery procedures, and accelerate your migration plans if you’re still on aging versions. Check the Microsoft Security Update Guide monthly, as always, but also subscribe to the Exchange Team Blog for early warnings and context that won’t appear in a CVE list.

A single month without patches is an anomaly, not a new normal. When the next update cycle arrives, it may come with a critical fix that demands immediate attention. Until then, treat this quiet Tuesday as a gift—but don’t let it lull you into complacency.