Description
Improper control of generation of code ('code injection') in Microsoft Exchange Server allows an unauthorized attacker to execute code over a network.
Published: 2026-06-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control of code generation (code injection) in Microsoft Exchange Server allows an unauthorized attacker to execute arbitrary code over a network. The flaw is a CWE-94 vulnerability that can compromise the integrity and confidentiality of the affected systems and potentially allow full system compromise if exploited.

Affected Systems

Microsoft Exchange Server 2016 with Cumulative Update 23, Microsoft Exchange Server 2019 with Cumulative Update 14 and 15, and Microsoft Exchange Server Subscription Edition RTM are affected by this vulnerability.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. Although the EPSS score is not available and the vulnerability is not listed in CISA KEV, the lack of authentication requirement and the network-based code injection path make it highly exploitable. Attackers can potentially execute arbitrary code remotely, especially if they can reach the affected Exchange servers.

Generated by OpenCVE AI on June 9, 2026 at 19:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft Exchange Server cumulative update for your version (CU23 for 2016, CU15 for 2019, or the appropriate update for the Subscription Edition) from the Microsoft security update guide.
  • After installing the cumulative update, restart all Exchange services to ensure the patch takes effect.
  • As a temporary mitigation, block inbound traffic to the affected Exchange endpoints (e.g., via firewall rules) to prevent exploitation until the patch is deployed.

Generated by OpenCVE AI on June 9, 2026 at 19:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper control of generation of code ('code injection') in Microsoft Exchange Server allows an unauthorized attacker to execute code over a network.
Title Microsoft Exchange Server Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft exchange Server 2016
Microsoft exchange Server 2019
Microsoft exchange Server Se
Weaknesses CWE-94
CPEs cpe:2.3:a:microsoft:exchange_server_2016:*:cumulative_update_23:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_14:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_15:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_se:*:RTM:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft exchange Server 2016
Microsoft exchange Server 2019
Microsoft exchange Server Se
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Exchange Server 2016 Exchange Server 2019 Exchange Server Se
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-10T10:28:44.291Z

Reserved: 2026-05-12T19:55:45.729Z

Link: CVE-2026-45583

cve-icon Vulnrichment

Updated: 2026-06-10T10:28:39.643Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:26.440

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45583

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T03:15:20Z

Weaknesses