KB5074995 — Security Update for Microsoft Exchange Server 2016 CU23

Overview

KB5074995 is a critical security update released on February 10, 2026, for Microsoft Exchange Server 2016 Cumulative Update 23. This update addresses multiple high-severity vulnerabilities that could allow attackers to compromise Exchange servers through remote code execution, privilege escalation, and authentication bypass attacks.

Security Vulnerabilities Addressed

This update resolves five critical security vulnerabilities identified in Exchange Server 2016 CU23:

CVE-2026-0847: Remote Code Execution in Exchange Web Services

A critical vulnerability in Exchange Web Services allows authenticated attackers to execute arbitrary code on the Exchange server through specially crafted SOAP requests. This vulnerability has a CVSS score of 8.8 and could lead to complete server compromise.

CVE-2026-0848: Elevation of Privilege in Exchange Control Panel

An elevation of privilege vulnerability in the Exchange Control Panel could allow low-privileged users to gain administrative access to Exchange resources. The flaw stems from insufficient validation of user permissions during administrative operations.

CVE-2026-0849: Cross-Site Scripting in Outlook Web App

A stored XSS vulnerability in Outlook Web App allows attackers to inject malicious scripts into email content that executes when viewed by other users. This could lead to credential theft and session hijacking.

CVE-2026-0850: Authentication Bypass

An authentication bypass vulnerability could allow unauthenticated attackers to access Exchange resources without proper credentials. This flaw affects both internal and external access to Exchange services.

Exchange Management Shell Security Enhancement

Additional security controls have been implemented in Exchange Management Shell to prevent unauthorized PowerShell command execution and improve administrative operation tracking.

Affected Systems

This security update applies specifically to:

Organizations running Exchange Server 2016 CU23 should prioritize installation of this update due to the critical nature of the vulnerabilities addressed.

Installation Requirements

Before installing KB5074995, ensure the following prerequisites are met:

• Microsoft Exchange Server 2016 Cumulative Update 23 is installed and functioning properly
• All Exchange services are running without errors
• Minimum 2 GB free disk space is available on the system drive
• Active Directory schema is version 15317 or later
• Local administrator privileges are available for the installation account

Deployment Considerations

This security update should be deployed during scheduled maintenance windows due to the temporary service interruption required during installation. Exchange services will be automatically stopped and restarted as part of the update process.

For organizations with multiple Exchange servers, deploy the update in a phased approach starting with non-critical servers to validate functionality before updating production systems.

Post-Installation Verification

After installing the update, verify successful installation by checking:

• Exchange server build number is updated to 15.1.2507.42
• All Exchange services start successfully
• Outlook Web App functionality is working properly
• Exchange Management Shell operations complete without errors
• No critical errors are present in the Application or System event logs

Use the following PowerShell command to verify the installed build number:

Get-ExchangeServer | Format-List Name, AdminDisplayVersion

Security Impact

Organizations that do not install this update remain vulnerable to attacks that could result in:

• Complete compromise of Exchange servers
• Unauthorized access to email data and attachments
• Lateral movement within the network infrastructure
• Data exfiltration and privacy breaches
• Service disruption and availability issues

The vulnerabilities addressed by this update have been actively exploited in the wild, making immediate deployment critical for maintaining security posture.