Skip to main content

Microsoft Exchange Server CVE-2026-45583

| EUVDEUVD-2026-35681 HIGH
Code Injection (CWE-94)
2026-06-09 secure@microsoft.com GHSA-2qq9-7ppw-4m9q
7.5
CVSS 3.1 · NVD
Temporal: 6.5
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
6.5 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 18:16 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 7.5

DescriptionCVE.org

Improper control of generation of code ('code injection') in Microsoft Exchange Server allows an unauthorized attacker to execute code over a network.

AnalysisAI

Remote code execution in Microsoft Exchange Server allows an unauthenticated network-based attacker to execute arbitrary code on the mail server through code injection, though successful exploitation requires user interaction and faces high attack complexity. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. The vulnerability is rated CVSS 7.5 with full confidentiality, integrity, and availability impact on a compromised Exchange host.

Technical ContextAI

The flaw is classified under CWE-94 (Improper Control of Generation of Code, commonly known as code injection), meaning untrusted input is incorporated into a code construct that the Exchange Server subsequently interprets or executes. Microsoft Exchange Server is an enterprise messaging platform exposing SMTP, OWA, EWS, MAPI/HTTP, and PowerShell remoting endpoints, any of which can become an injection surface when input parsers feed values into dynamic code paths such as scripting engines, deserializers, or template processors. The references point only to Microsoft's MSRC update guide entry, and no specific subsystem or affected build is enumerated in the supplied data, but CWE-94 in Exchange historically maps to PowerShell, .NET deserialization, or transport-rule expression evaluation paths.

RemediationAI

No vendor-released patch version is identified in the supplied data, so the primary action is to consult Microsoft's MSRC update guide entry at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45583 and apply the security update or cumulative update Microsoft lists for each affected Exchange Server build as soon as it is published. Until patching, restrict external exposure of OWA, ECP, EWS, and PowerShell remoting endpoints to VPN or trusted networks only (which will reduce remote attack surface but will also block legitimate remote users and mobile clients), enforce admin MFA and minimize the number of accounts that can interact with administrative web pages or open inbound mail attachments (since UI:R is part of the chain), and ensure Exchange anti-malware/transport scanning and EDR with Exchange-aware detections are enabled to flag suspicious child processes spawned by w3wp.exe, EdgeTransport.exe, or PowerShell.

Share

CVE-2026-45583 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy