Skip to main content

Microsoft Exchange Server CVE-2025-53782

HIGH
Incorrect Implementation of Authentication Algorithm (CWE-303)
2025-10-14 secure@microsoft.com
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local Exchange host access required (AV:L), low-priv authenticated user suffices (PR:L), no user interaction, and flawed auth grants full Exchange control yielding C:H/I:H/A:H.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 19:30 vuln.today
CVE Published
Oct 14, 2025 - 17:15 nvd
HIGH 7.8

DescriptionNVD

Incorrect implementation of authentication algorithm in Microsoft Exchange Server allows an unauthorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Microsoft Exchange Server 2016 (and Subscription Edition) stems from an incorrect implementation of an authentication algorithm (CWE-303), allowing a low-privileged local user to gain high-impact control over confidentiality, integrity, and availability of the mail platform. The flaw was reported by Microsoft (MSRC) and carries a CVSS 3.1 base of 7.8 (AV:L/AC:L/PR:L/UI:N). At time of analysis, no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but exploitation by an authenticated insider on an Exchange host would yield full server compromise.

Technical ContextAI

Microsoft Exchange Server is the on-premises messaging and collaboration platform that handles mailbox storage, transport, and authentication for Outlook, OWA, and ActiveSync clients. CWE-303 (Incorrect Implementation of Authentication Algorithm) means the server's authentication logic deviates from the specified or intended algorithm - typically by mishandling tokens, comparing credentials incorrectly, or skipping a verification step - letting a caller assume an identity or role they have not legitimately authenticated as. The CPE list pins the affected build line to Exchange Server 2016 across cumulative updates CU1 through CU17, and the tags add Exchange Server Subscription Edition, indicating the defective code path persists across the 2016 servicing branch and the modernized SE release. Because the CVSS vector is AV:L with PR:L, the bug is reachable by a local, low-privilege principal on the Exchange host (for example a constrained service account or a logged-on operator), not by a remote unauthenticated user against OWA.

RemediationAI

Patch available per vendor advisory - apply the Microsoft Exchange security update referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53782 to the affected Exchange Server 2016 cumulative updates (CU1-CU17) and Exchange Server Subscription Edition, prioritizing internet-exposed or multi-admin Exchange hosts. Because exact fix versions were not enumerated in the provided input, obtain the specific KB and CU build numbers directly from the MSRC page before scheduling deployment, and as standard Exchange practice run Setup.exe /PrepareSchema where the update requires it. As compensating controls until patching completes, restrict interactive and remote PowerShell logon to the Exchange servers to a minimal Tier-0/Exchange-admin group (trade-off: may interrupt third-party backup or monitoring agents that log on locally), audit and rotate any shared service-account credentials with local rights on Exchange hosts (trade-off: requires coordinated app restarts), and tighten Exchange RBAC so unprivileged mailbox principals do not hold any management role assignments. Generic 'defense in depth' is not sufficient given CWE-303's algorithmic nature - there is no reliable configuration toggle that disables the flawed authentication path.

CVE-2020-17132 CRITICAL POC
9.1 Dec 10

Microsoft Exchange Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remote

CVE-2022-23277 HIGH POC
8.8 Mar 09

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem

CVE-2021-42321 HIGH POC
8.8 Nov 10

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem

CVE-2020-16875 HIGH POC
8.4 Sep 11

<p>A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet argume

CVE-2021-28481 CRITICAL POC
9.8 Apr 13

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2021-28480 CRITICAL POC
9.8 Apr 13

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2018-0986 HIGH POC
8.8 Apr 04

A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a speci

CVE-2018-16793 HIGH POC
8.6 Sep 21

Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions has an SSRF vulnerability via the username parame

CVE-2019-0724 HIGH POC
8.1 Mar 05

An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of

CVE-2023-36745 HIGH POC
8.0 Sep 12

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low

CVE-2013-0418 MEDIUM
6.8 Jan 17

Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7 and 8.4 allows

CVE-2021-33766 HIGH POC
7.3 Jul 14

Microsoft Exchange Server Information Disclosure Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is re

Share

CVE-2025-53782 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy