Description
Improper input validation in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.
Published: 2025-12-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Elevation of Privilege
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an improper input validation flaw in Microsoft Exchange Server that allows an authorized attacker connecting over a network to gain higher privileges than intended. The weakness falls under CWE‑20, resulting in a potential compromise of system integrity where the attacker could execute actions as a privileged user or possibly control the server environment. The problem is not a denial-of-service or data exposure but a privilege escalation that can lead to full system compromise.

Affected Systems

Microsoft Exchange Server 2016 with Cumulative Update 23, Microsoft Exchange Server 2019 with Cumulative Updates 14 and 15, and the subscription‑edition rollout on its initial release (RTM). These are the versions explicitly identified by the CNA as affected. Other build numbers listed in the CPE list may be concurrent or superseded by these updates, but the CNA only confirms the above as impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity of the flaw. The EPSS score of <1% suggests that the likelihood of exploitation is low at the time of this analysis. The vulnerability is not currently listed in CISA’s KEV catalog. It presumably requires an authenticated or otherwise authorized attacker within the same network to trigger the flaw, as the description states that an authorized attacker can elevate privileges. Because no public exploit has been reported, the risk is moderate but the potential impact is high enough to warrant prompt remediation.

Generated by OpenCVE AI on April 20, 2026 at 15:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest cumulative update for Microsoft Exchange Server 2016 (CU23 or a newer release) and for Microsoft Exchange Server 2019 (CU14 or CU15 or a newer release).
  • If an update cannot be applied immediately, restrict access to the Exchange services to trusted networks and enforce least‑privilege policies on all accounts that can reach the server.
  • Continuously monitor authentication and privilege‑elevation logs for anomalous activity and consider enabling intrusion‑detection rules that flag unusual privilege changes.

Generated by OpenCVE AI on April 20, 2026 at 15:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 02 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft exchange Server
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:microsoft:exchange_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:-:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_12:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_13:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_1:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_20:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_21:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_22:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_2:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_3:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_4:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_5:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_6:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_7:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_8:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_9:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_10:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_12:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_13:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_1:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_2:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_5:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_6:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_9:*:*:*:*:*:*
Vendors & Products Microsoft exchange Server

Tue, 09 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Description Improper input validation in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.
Title Microsoft Exchange Server Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft exchange Server 2016
Microsoft exchange Server 2019
Microsoft exchange Server Se
Weaknesses CWE-20
CPEs cpe:2.3:a:microsoft:exchange_server_2016:*:cumulative_update_23:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_14:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_15:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_se:*:RTM:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft exchange Server 2016
Microsoft exchange Server 2019
Microsoft exchange Server Se
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Exchange Server Exchange Server 2016 Exchange Server 2019 Exchange Server Se
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-16T14:18:39.837Z

Reserved: 2025-11-06T23:40:37.276Z

Link: CVE-2025-64666

cve-icon Vulnrichment

Updated: 2025-12-09T20:16:14.522Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-09T18:16:05.910

Modified: 2026-01-02T21:15:10.337

Link: CVE-2025-64666

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:00:10Z

Weaknesses