Microsoft Exchange Server Subscription Edition — known CVE vulnerabilities
Every CVE whose affected-product data names Microsoft Exchange Server Subscription Edition, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (19)
CVE-2025-59249 — CVSS 8.8 (high): Weak authentication in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.
CVE-2026-45504 — CVSS 8.8 (high): Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.
CVE-2025-53782 — CVSS 8.4 (high): Incorrect implementation of authentication algorithm in Microsoft Exchange Server allows an unauthorized attacker to elevate privileges…
CVE-2026-45503 — CVSS 8.1 (high): Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network.
CVE-2026-47631 — CVSS 8.1 (high): Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized…
CVE-2025-53786 — CVSS 8.0 (high): On April 18th 2025, Microsoft announced Exchange Server Security Changes for Hybrid Deployments and accompanying non-security Hot Fix…
CVE-2025-59248 — CVSS 7.5 (high): Improper input validation in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
CVE-2025-33051 — CVSS 7.5 (high): Exposure of sensitive information to an unauthorized actor in Microsoft Exchange Server allows an unauthorized attacker to disclose…
CVE-2025-64666 — CVSS 7.5 (high): Improper input validation in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.
CVE-2026-45583 — CVSS 7.5 (high): Improper control of generation of code ('code injection') in Microsoft Exchange Server allows an unauthorized attacker to execute code over…
CVE-2025-25005 — CVSS 6.5 (medium): Improper input validation in Microsoft Exchange Server allows an authorized attacker to perform tampering over a network.
CVE-2026-21527 — CVSS 6.5 (medium): User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform…
CVE-2026-45501 — CVSS 6.5 (medium): Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized…
CVE-2026-45500 — CVSS 6.1 (medium): Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized…
CVE-2025-64667 — CVSS 5.3 (medium): User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform…
CVE-2025-25007 — CVSS 5.3 (medium): Improper validation of syntactic correctness of input in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over…
CVE-2025-25006 — CVSS 5.3 (medium): Improper handling of additional special element in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a…
CVE-2026-45502 — CVSS 5.0 (medium): Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network.