KB5074992 — Security Update for Microsoft Exchange Server Subscription Edition RTM

Overview

KB5074992 is a critical security update released on February 10, 2026, for Microsoft Exchange Server Subscription Edition RTM. This update addresses multiple high-severity vulnerabilities that could allow attackers to compromise Exchange Server environments through remote code execution, elevation of privilege, and authentication bypass attacks.

Affected Systems

This security update applies specifically to:

Organizations running other versions of Exchange Server should consult separate security bulletins for applicable updates.

Security Vulnerabilities Addressed

The update resolves several critical security vulnerabilities:

Remote Code Execution in Exchange Web Services

A critical vulnerability in Exchange Web Services could allow authenticated attackers to execute arbitrary code on the Exchange server. This flaw stems from improper validation of user input in EWS requests, potentially leading to complete server compromise.

Elevation of Privilege in Exchange Management Shell

An elevation of privilege vulnerability in Exchange Management Shell could allow low-privileged users to gain administrative access to Exchange Server. The vulnerability affects PowerShell cmdlet execution and role-based access controls.

Server-Side Request Forgery in Outlook Web App

A server-side request forgery vulnerability in Outlook Web App could allow attackers to make unauthorized requests to internal network resources, potentially exposing sensitive information or accessing restricted services.

Authentication Bypass in Exchange ActiveSync

An authentication bypass vulnerability in Exchange ActiveSync could allow unauthorized access to mailbox data without proper credentials, affecting mobile device synchronization security.

Technical Details

The security update modifies several core Exchange Server components:

Exchange Web Services Components

Updates to Microsoft.Exchange.WebServices.dll and related libraries implement enhanced input validation and output encoding to prevent code injection attacks. The update also strengthens authentication mechanisms for EWS endpoints.

Management Shell Security

Modifications to Microsoft.Exchange.Management.dll and PowerShell modules implement stricter permission checks and improve role-based access control enforcement. Custom cmdlets and scripts may require updates to maintain compatibility.

Outlook Web App Security

Updates to Microsoft.Exchange.Clients.Owa2.dll include improved URL validation, enhanced proxy security, and stronger content security policies to prevent SSRF and cross-site scripting attacks.

ActiveSync Authentication

Changes to Microsoft.Exchange.AirSync.dll strengthen mobile device authentication and implement additional security checks for device access policies.

Installation Requirements

Before installing KB5074992, ensure the following requirements are met:

• System Requirements: Exchange Server Subscription Edition RTM installed and running
• Disk Space: Minimum 1 GB free space on system drive
• Memory: At least 2 GB available RAM during installation
• Services: All Exchange services must be running
• Permissions: Local administrator rights required

Deployment Considerations

For enterprise environments with multiple Exchange servers:

High Availability Deployments

In Database Availability Group (DAG) configurations, install the update on one server at a time to maintain service availability. Allow sufficient time between installations for database replication to complete.

Load Balancer Configuration

Temporarily remove servers from load balancer pools during update installation to prevent service disruption. Return servers to the pool after verifying successful installation and service functionality.

Monitoring and Validation

Monitor Exchange services and performance metrics after installation. Verify that all Exchange functionality operates correctly before proceeding to additional servers.

Post-Installation Verification

After installing KB5074992, perform the following verification steps:

Service Status Check

Get-Service MSExchange* | Where-Object {$_.Status -ne 'Running'}

Update Installation Verification

Get-ExchangeServer | Get-WmiObject -Class Win32_QuickFixEngineering | Where-Object {$_.HotFixID -eq 'KB5074992'}

Functionality Testing

• Test Outlook Web App access and functionality
• Verify Exchange Management Console connectivity
• Confirm ActiveSync device synchronization
• Test PowerShell cmdlet execution