Improper control of generation of code ('code injection') in Microsoft Exchange Server allows an unauthorized attacker to execute code over a network.
According to the CVSS metric, the attack complexity is high (AC:H). What does this mean for this vulnerability? Exploitation depends on an attacker being able to place themselves in a machine‑in‑the‑middle position on the network during use of the affected script. Because this requires specific network conditions that are not commonly present, the vulnerability is more difficult to exploit than issues that can be triggered directly. How could an attacker exploit this vulnerability? An attacker who is able to intercept network traffic could interfere with the secure connection used by the Exchange migration script and inject malicious data. When the script is run during a hybrid migration, this could cause unintended commands to run on the on‑premises Exchange server with administrative permissions. Is there anything to be done in addition to installing the June 2026 security updates for my Exchange Server? Yes, Microsoft recommends that customers download and use the latest, fixed version of the Public Folder scripts. The versions of the Public Folder scripts included with Exchange Server are outdated and will be removed in a future update. Customers can download the latest version of the Public Folder scripts here.
Anonymous