Improper input validation in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.
According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. Why are update links missing for some Exchange products? For Exchange Server 2016 and 2019, update links are not provided because these versions are out of support and security updates are only available through the Extended Security Update (ESU) program. Customers enrolled in ESU can access the December 2025 and future updates, while those not enrolled should migrate to Exchange Server Subscription Edition (SE) to continue receiving security updates. If you have purchased ESU and need assistance accessing updates, contact Microsoft at **ExchangeandSfBServerESUInquiry@service.microsoft.com. ** For more details, see the official blog post. What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain administrator privileges.
National Security Agency