Skip to main content

Microsoft Exchange Server CVE-2025-59248

HIGH
Improper Input Validation (CWE-20)
2025-10-14 secure@microsoft.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Network-reachable Exchange service, unauthenticated and no user interaction per description and tags; spoofing yields high integrity impact only, with no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 19:30 vuln.today
CVE Published
Oct 14, 2025 - 17:16 nvd
HIGH 7.5

DescriptionNVD

Improper input validation in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

AnalysisAI

Spoofing in Microsoft Exchange Server (including 2016 cumulative updates and Subscription Edition) allows remote unauthenticated attackers to impersonate trusted entities over the network due to improper input validation. The flaw carries a CVSS 7.5 with integrity-only impact, and no public exploit identified at time of analysis. Defenders should treat it as a credible spoofing/authentication-bypass primitive that may be chained with downstream phishing or follow-on Exchange attacks.

Technical ContextAI

Microsoft Exchange Server is the on-premises messaging and collaboration platform providing SMTP, MAPI/HTTP, EWS, OWA, and Autodiscover services. The root cause is CWE-20 (Improper Input Validation): a server-side component fails to properly validate attacker-supplied input, enabling forged data to be accepted as legitimate. Tagged as an Authentication Bypass / Spoofing class issue, this typically manifests in Exchange as a trust-boundary failure - for example mishandling of identity, header, or token data - allowing one party's content or identity to be presented as another's. CPE data confirms Exchange Server 2016 across multiple cumulative updates (CU1 through CU17 enumerated) is in scope, and the advisory tags indicate Exchange Server Subscription Edition is also affected.

RemediationAI

Apply the Microsoft security update for CVE-2025-59248 as published in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59248; exact fix build numbers are listed there per Exchange Server 2016 cumulative update and for Exchange Server Subscription Edition, and administrators should install the security update matching their current CU level (Patch available per vendor advisory). Until patched, restrict external exposure of Exchange surfaces that are not strictly required - for example limiting OWA, EWS, and Autodiscover access to known IP ranges or VPN-only via the perimeter or Exchange Front End, accepting the trade-off of breaking external mobile and roaming Outlook clients. Enforce strict SPF/DKIM/DMARC alignment and TLS on inbound SMTP to reduce downstream impact of spoofed messages, and monitor IIS, transport, and OWA logs for anomalous authentication and identity-mismatch events; note that none of these workarounds substitute for the vendor update.

CVE-2020-17132 CRITICAL POC
9.1 Dec 10

Microsoft Exchange Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remote

CVE-2022-23277 HIGH POC
8.8 Mar 09

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem

CVE-2021-42321 HIGH POC
8.8 Nov 10

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem

CVE-2020-16875 HIGH POC
8.4 Sep 11

<p>A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet argume

CVE-2021-28481 CRITICAL POC
9.8 Apr 13

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2021-28480 CRITICAL POC
9.8 Apr 13

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2018-0986 HIGH POC
8.8 Apr 04

A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a speci

CVE-2018-16793 HIGH POC
8.6 Sep 21

Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions has an SSRF vulnerability via the username parame

CVE-2019-0724 HIGH POC
8.1 Mar 05

An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of

CVE-2023-36745 HIGH POC
8.0 Sep 12

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low

CVE-2013-0418 MEDIUM
6.8 Jan 17

Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7 and 8.4 allows

CVE-2021-33766 HIGH POC
7.3 Jul 14

Microsoft Exchange Server Information Disclosure Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is re

Share

CVE-2025-59248 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy