Description
User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Published: 2025-12-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Spoofing (Impersonation)
Action: Patch
AI Analysis

Impact

User interface misrepresentation in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. The flaw misrepresents critical information, which could lead administrators and users to accept false data or be misled by the altered interface. While the CVE text does not explicitly state that attackers can acquire credentials, it is inferred that the spoofing could facilitate convincing a user to act on fabricated information, potentially enabling unauthorized actions.

Affected Systems

Microsoft Exchange Server 2016 with Cumulative Update 23, Microsoft Exchange Server 2019 with Cumulative Updates 14 and 15, and Microsoft Exchange Server Subscription Edition Release To Manufacturing are affected by the flaw.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity, and the EPSS score of less than 1% shows a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to deliver a spoofed interface element over the network to a user; this likely requires social engineering or trust in the altered UI, making exploitation difficult. Overall risk remains moderate but active exploitation is currently unreported.

Generated by OpenCVE AI on April 20, 2026 at 16:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Microsoft Exchange Server 2016 Cumulative Update 23 to fix the UI spoofing flaw.
  • Install Microsoft Exchange Server 2019 Cumulative Updates 14 and 15 to remove the vulnerability.
  • Apply the Microsoft Exchange Server Subscription Edition RTM update package to correct the misrepresentation.

Generated by OpenCVE AI on April 20, 2026 at 16:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 02 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft exchange Server
CPEs cpe:2.3:a:microsoft:exchange_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:-:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_12:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_13:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_1:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_20:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_21:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_22:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_2:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_3:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_4:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_5:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_6:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_7:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_8:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_9:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_10:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_12:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_13:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_1:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_2:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_5:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_6:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_7:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_9:*:*:*:*:*:*
Vendors & Products Microsoft exchange Server

Tue, 09 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Description User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Title Microsoft Exchange Server Spoofing Vulnerability
First Time appeared Microsoft
Microsoft exchange Server 2016
Microsoft exchange Server 2019
Microsoft exchange Server Se
Weaknesses CWE-451
CPEs cpe:2.3:a:microsoft:exchange_server_2016:*:cumulative_update_23:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_14:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_15:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_se:*:RTM:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft exchange Server 2016
Microsoft exchange Server 2019
Microsoft exchange Server Se
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Exchange Server Exchange Server 2016 Exchange Server 2019 Exchange Server Se
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-16T14:18:39.361Z

Reserved: 2025-11-06T23:40:37.276Z

Link: CVE-2025-64667

cve-icon Vulnrichment

Updated: 2025-12-09T20:16:22.276Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-09T18:16:06.067

Modified: 2026-01-02T21:15:48.940

Link: CVE-2025-64667

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:15:11Z

Weaknesses