CVE-2025-25006: Microsoft Exchange Server Spoofing Vulnerability

Overview

Severity

Medium (CVSS 5.3)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2025-Aug

Released

2025-08-12

EPSS Score

0.14% (percentile: 33.6%)

Description

Improper handling of additional special element in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

FAQ

According to the CVSS metrics, successful exploitation of this vulnerability could lead to no loss of confidentiality (C:N) and integrity (I:N), but could lead to some loss of availability (A:L). What does that mean for this vulnerability? An attacker could spoof incorrect 5322.From email address that is displayed to a user.

Affected Products (4)

ESU

• Microsoft Exchange Server 2019 Cumulative Update 15
• Microsoft Exchange Server 2016 Cumulative Update 23
• Microsoft Exchange Server 2019 Cumulative Update 14

Server Software

• Microsoft Exchange Server Subscription Edition RTM

Security Updates (4)

• 5063221
• 5063223
• 5063222
• 5063224

Acknowledgments

<a href="https://www.linkedin.com/in/anna-breeva-51476b163/">Anna Breeva</a>

Revision History

• 2025-08-12: Information published.