CVE-2025-25007: Microsoft Exchange Server Spoofing Vulnerability

Overview

Severity

Medium (CVSS 5.3)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2025-Aug

Released

2025-08-12

EPSS Score

0.19% (percentile: 41.2%)

Description

Improper validation of syntactic correctness of input in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

FAQ

According to the CVSS metrics, successful exploitation of this vulnerability could lead to no loss of confidentiality (C:N) and integrity (I:N), but could lead to some loss of availability (A:L). What does that mean for this vulnerability? An attacker could spoof incorrect 5322.From email address that is displayed to a user.

Affected Products (4)

Server Software

• Microsoft Exchange Server Subscription Edition RTM

ESU

• Microsoft Exchange Server 2016 Cumulative Update 23
• Microsoft Exchange Server 2019 Cumulative Update 14
• Microsoft Exchange Server 2019 Cumulative Update 15

Security Updates (4)

• 5063224
• 5063223
• 5063222
• 5063221

Revision History

• 2025-08-12: Information published.