Microsoft Exchange Server
CVE-2025-64666
HIGH
Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable Exchange endpoint (AV:N), requires valid low-privilege mailbox account (PR:L), no user interaction (UI:N), high complexity due to input-validation race/state conditions (AC:H), full CIA impact via privilege elevation on the Exchange server.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Improper input validation in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.
AnalysisAI
Privilege escalation in Microsoft Exchange Server 2016 (and Subscription Edition per vendor tagging) allows an authenticated attacker on the network to elevate privileges through improper input validation (CWE-20). The flaw carries a CVSS 7.5 score with high impact to confidentiality, integrity, and availability, though attack complexity is rated High. No public exploit identified at time of analysis.
Technical ContextAI
Microsoft Exchange Server is an enterprise mail and collaboration platform that exposes a large attack surface through MAPI/HTTP, EWS, OWA, ECP, and PowerShell remoting endpoints. The root cause is CWE-20 (Improper Input Validation), meaning a component within Exchange fails to adequately validate attacker-supplied input received over the network, and that improperly validated data ultimately drives a privilege decision or operation executed in a higher-privilege context. CPE data confirms Exchange Server 2016 and its cumulative updates 1 through 17 are enumerated as affected, and the vendor tagging additionally references Exchange Server Subscription Edition, suggesting the vulnerable code path is shared across modern Exchange branches.
RemediationAI
Patch available per vendor advisory: apply the security updates published by Microsoft for CVE-2025-64666 as listed in the MSRC update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64666, ensuring all Exchange 2016 servers are brought to the latest cumulative update plus the corresponding security update, and that Exchange Server Subscription Edition deployments receive the matching SU. Until patched, reduce exposure by restricting access to Exchange management endpoints (ECP, PowerShell remoting, EWS) to administrative networks only via firewall or reverse-proxy ACLs, enforce strong authentication and MFA on all mailbox accounts to raise the bar against the PR:L precondition, and monitor Exchange and IIS logs for anomalous authenticated requests to administrative URLs; note that restricting ECP/EWS can break legitimate Outlook on the Web administration and third-party integrations, so stage changes carefully.
More in Exchange Server
View allMicrosoft Exchange Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remote
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem
<p>A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet argume
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is
A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a speci
Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions has an SSRF vulnerability via the username parame
An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low
Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7 and 8.4 allows
Microsoft Exchange Server Information Disclosure Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is re
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today