Skip to main content

Microsoft Exchange Server CVE-2025-64666

HIGH
Improper Input Validation (CWE-20)
2025-12-09 secure@microsoft.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Network-reachable Exchange endpoint (AV:N), requires valid low-privilege mailbox account (PR:L), no user interaction (UI:N), high complexity due to input-validation race/state conditions (AC:H), full CIA impact via privilege elevation on the Exchange server.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 19:31 vuln.today
CVE Published
Dec 09, 2025 - 18:16 nvd
HIGH 7.5

DescriptionNVD

Improper input validation in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.

AnalysisAI

Privilege escalation in Microsoft Exchange Server 2016 (and Subscription Edition per vendor tagging) allows an authenticated attacker on the network to elevate privileges through improper input validation (CWE-20). The flaw carries a CVSS 7.5 score with high impact to confidentiality, integrity, and availability, though attack complexity is rated High. No public exploit identified at time of analysis.

Technical ContextAI

Microsoft Exchange Server is an enterprise mail and collaboration platform that exposes a large attack surface through MAPI/HTTP, EWS, OWA, ECP, and PowerShell remoting endpoints. The root cause is CWE-20 (Improper Input Validation), meaning a component within Exchange fails to adequately validate attacker-supplied input received over the network, and that improperly validated data ultimately drives a privilege decision or operation executed in a higher-privilege context. CPE data confirms Exchange Server 2016 and its cumulative updates 1 through 17 are enumerated as affected, and the vendor tagging additionally references Exchange Server Subscription Edition, suggesting the vulnerable code path is shared across modern Exchange branches.

RemediationAI

Patch available per vendor advisory: apply the security updates published by Microsoft for CVE-2025-64666 as listed in the MSRC update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64666, ensuring all Exchange 2016 servers are brought to the latest cumulative update plus the corresponding security update, and that Exchange Server Subscription Edition deployments receive the matching SU. Until patched, reduce exposure by restricting access to Exchange management endpoints (ECP, PowerShell remoting, EWS) to administrative networks only via firewall or reverse-proxy ACLs, enforce strong authentication and MFA on all mailbox accounts to raise the bar against the PR:L precondition, and monitor Exchange and IIS logs for anomalous authenticated requests to administrative URLs; note that restricting ECP/EWS can break legitimate Outlook on the Web administration and third-party integrations, so stage changes carefully.

CVE-2020-17132 CRITICAL POC
9.1 Dec 10

Microsoft Exchange Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remote

CVE-2022-23277 HIGH POC
8.8 Mar 09

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem

CVE-2021-42321 HIGH POC
8.8 Nov 10

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem

CVE-2020-16875 HIGH POC
8.4 Sep 11

<p>A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet argume

CVE-2021-28481 CRITICAL POC
9.8 Apr 13

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2021-28480 CRITICAL POC
9.8 Apr 13

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2018-0986 HIGH POC
8.8 Apr 04

A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a speci

CVE-2018-16793 HIGH POC
8.6 Sep 21

Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions has an SSRF vulnerability via the username parame

CVE-2019-0724 HIGH POC
8.1 Mar 05

An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of

CVE-2023-36745 HIGH POC
8.0 Sep 12

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low

CVE-2013-0418 MEDIUM
6.8 Jan 17

Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7 and 8.4 allows

CVE-2021-33766 HIGH POC
7.3 Jul 14

Microsoft Exchange Server Information Disclosure Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is re

Share

CVE-2025-64666 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy