Microsoft Exchange Server
CVE-2025-53782
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local Exchange host access required (AV:L), low-priv authenticated user suffices (PR:L), no user interaction, and flawed auth grants full Exchange control yielding C:H/I:H/A:H.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Incorrect implementation of authentication algorithm in Microsoft Exchange Server allows an unauthorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Microsoft Exchange Server 2016 (and Subscription Edition) stems from an incorrect implementation of an authentication algorithm (CWE-303), allowing a low-privileged local user to gain high-impact control over confidentiality, integrity, and availability of the mail platform. The flaw was reported by Microsoft (MSRC) and carries a CVSS 3.1 base of 7.8 (AV:L/AC:L/PR:L/UI:N). At time of analysis, no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but exploitation by an authenticated insider on an Exchange host would yield full server compromise.
Technical ContextAI
Microsoft Exchange Server is the on-premises messaging and collaboration platform that handles mailbox storage, transport, and authentication for Outlook, OWA, and ActiveSync clients. CWE-303 (Incorrect Implementation of Authentication Algorithm) means the server's authentication logic deviates from the specified or intended algorithm - typically by mishandling tokens, comparing credentials incorrectly, or skipping a verification step - letting a caller assume an identity or role they have not legitimately authenticated as. The CPE list pins the affected build line to Exchange Server 2016 across cumulative updates CU1 through CU17, and the tags add Exchange Server Subscription Edition, indicating the defective code path persists across the 2016 servicing branch and the modernized SE release. Because the CVSS vector is AV:L with PR:L, the bug is reachable by a local, low-privilege principal on the Exchange host (for example a constrained service account or a logged-on operator), not by a remote unauthenticated user against OWA.
RemediationAI
Patch available per vendor advisory - apply the Microsoft Exchange security update referenced at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53782 to the affected Exchange Server 2016 cumulative updates (CU1-CU17) and Exchange Server Subscription Edition, prioritizing internet-exposed or multi-admin Exchange hosts. Because exact fix versions were not enumerated in the provided input, obtain the specific KB and CU build numbers directly from the MSRC page before scheduling deployment, and as standard Exchange practice run Setup.exe /PrepareSchema where the update requires it. As compensating controls until patching completes, restrict interactive and remote PowerShell logon to the Exchange servers to a minimal Tier-0/Exchange-admin group (trade-off: may interrupt third-party backup or monitoring agents that log on locally), audit and rotate any shared service-account credentials with local rights on Exchange hosts (trade-off: requires coordinated app restarts), and tighten Exchange RBAC so unprivileged mailbox principals do not hold any management role assignments. Generic 'defense in depth' is not sufficient given CWE-303's algorithmic nature - there is no reliable configuration toggle that disables the flawed authentication path.
More in Exchange Server
View allMicrosoft Exchange Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remote
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem
<p>A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet argume
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is
A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a speci
Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions has an SSRF vulnerability via the username parame
An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low
Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7 and 8.4 allows
Microsoft Exchange Server Information Disclosure Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is re
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today