Exchange Server 2016 and 2019 end-of-support migration guidance
Advisory/Mitigation
Summary
Hide ▲
Show ▼
Microsoft says Exchange Server 2016 and Exchange Server 2019 reached end of support on October 14, 2025, leaving on-premises deployments without future vendor security coverage and raising upgrade urgency. The company is urging administrators to upgrade to Exchange Server SE or migrate to Exchange Online to stay supported and secure. After the October 2025 Exchange Server Security Updates, Microsoft will stop issuing security patches for these versions, increasing the risk of exposure to newly discovered vulnerabilities.
Related Happenings
Microsoft Exchange CVE-2026-42897 mitigation advisory
Advisory/Mitigation
First: 15.05.2026 12:40
Last: 15.05.2026 12:40
Sources 1
About this happening:
**Microsoft** issued immediate mitigation guidance for **CVE-2026-42897**, reducing risk for **Exchange Server 2016, 2019, and Subscription Edition (SE)** on-premises servers that...
Microsoft Exchange CVE-2026-42897 mitigation advisory
Advisory/MitigationAbout this happening: **Microsoft** issued immediate mitigation guidance for **CVE-2026-42897**, reducing risk for **Exchange Server 2016, 2019, and Subscription Edition (SE)** on-premises servers that...
Latest development: 15.05.2026 15:35
Microsoft issued temporary mitigation guidance for CVE-2026-42897 while a patch is still in development, recommending the Exchange Emergency Mitigation (EM) Service, which is enabled by default and can be checked with the Exchange Health Checker script, or the Exchange On-premises Mitigation Tool (EOMT) for disconnected or air-gapped environments. Microsoft noted that the mitigations can disrupt features such as OWA Print Calendar and Inline images, and that servers older than March 2023 cannot receive new mitigations through EM Service.
Microsoft Exchange Server spoofing/XSS flaw under active exploitation (CVE-2026-42897)
Vulnerability
First: 15.05.2026 09:19
Last: 15.05.2026 09:19
Sources 1
About this happening:
**CVE-2026-42897** is an **actively exploited** **spoofing/XSS** flaw in **on-premises Microsoft Exchange Server** that can let attackers trigger **arbitrary JavaScript** in a bro...
Microsoft Exchange Server spoofing/XSS flaw under active exploitation (CVE-2026-42897)
VulnerabilityAbout this happening: **CVE-2026-42897** is an **actively exploited** **spoofing/XSS** flaw in **on-premises Microsoft Exchange Server** that can let attackers trigger **arbitrary JavaScript** in a bro...
Microsoft May 2026 Patch Tuesday release
Security Patch Release
First: 13.05.2026 13:36
Last: 13.05.2026 13:36
Sources 1
About this happening:
Microsoft's **May 13, 2026 Patch Tuesday** release fixed **138 vulnerabilities** across its product portfolio, including **Windows**, **Azure**, and **Edge**. None of the flaws we...
Microsoft May 2026 Patch Tuesday release
Security Patch ReleaseAbout this happening: Microsoft's **May 13, 2026 Patch Tuesday** release fixed **138 vulnerabilities** across its product portfolio, including **Windows**, **Azure**, and **Edge**. None of the flaws we...
Windows 10 KB5087544 extended security update
Security Patch Release
First: 12.05.2026 21:58
Last: 12.05.2026 21:58
Sources 1
About this happening:
**Microsoft** released **Windows 10 KB5087544** for **Windows 10 ESU/LTSC systems**, addressing **May 2026 Patch Tuesday vulnerabilities** and a **Remote Desktop warnings** issue....
Windows 10 KB5087544 extended security update
Security Patch ReleaseAbout this happening: **Microsoft** released **Windows 10 KB5087544** for **Windows 10 ESU/LTSC systems**, addressing **May 2026 Patch Tuesday vulnerabilities** and a **Remote Desktop warnings** issue....
Microsoft Exchange Online blocks legacy TLS for POP3 and IMAP4 starting July 2026
Security Tool/Service
First: 28.04.2026 16:18
Last: 28.04.2026 16:18
Sources 1
About this happening:
**Microsoft** will block **TLS 1.0** and **TLS 1.1** for **POP3/IMAP4** access to **Exchange Online** in **July 2026**, which could break legacy mail clients and embedded devices...
Microsoft Exchange Online blocks legacy TLS for POP3 and IMAP4 starting July 2026
Security Tool/ServiceAbout this happening: **Microsoft** will block **TLS 1.0** and **TLS 1.1** for **POP3/IMAP4** access to **Exchange Online** in **July 2026**, which could break legacy mail clients and embedded devices...
Timeline
-
14.10.2025 21:26 1 articles · 7mo ago
Exchange Server 2016 and 2019 reach end of support
Initial DisclosureMicrosoft says Exchange Server 2016 and Exchange Server 2019 reach end of support on October 14, 2025, so customer installations continue to run but will no longer receive security patches, time zone updates, bug fixes, or technical support.
Show sources
- Microsoft: Exchange 2016 and 2019 have reached end of support — www.bleepingcomputer.com — 14.10.2025 21:26
-
14.10.2025 21:26 2 articles · 7mo ago
Microsoft advises upgrade or migration to supported Exchange options
Mitigation Patch UpdateMicrosoft urges IT administrators to upgrade Exchange Server 2016 and Exchange Server 2019 deployments to Exchange Server Subscription Edition (SE) or migrate to Exchange Online, noting that Exchange Server 2019 supports an in-place upgrade to Exchange Server SE and that Exchange 2016 or 2013 environments should move to SE or first install Exchange 2019.
Show sources
- Microsoft: Exchange 2016 and 2019 have reached end of support — www.bleepingcomputer.com — 14.10.2025 21:26
- Microsoft: Exchange 2016 and 2019 have reached end of support — www.bleepingcomputer.com — 14.10.2025 21:26