Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Improper control of generation of code ('code injection') in Microsoft Exchange Server allows an unauthorized attacker to execute code over a network.
AnalysisAI
Remote code execution in Microsoft Exchange Server allows an unauthenticated network-based attacker to execute arbitrary code on the mail server through code injection, though successful exploitation requires user interaction and faces high attack complexity. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. The vulnerability is rated CVSS 7.5 with full confidentiality, integrity, and availability impact on a compromised Exchange host.
Technical ContextAI
The flaw is classified under CWE-94 (Improper Control of Generation of Code, commonly known as code injection), meaning untrusted input is incorporated into a code construct that the Exchange Server subsequently interprets or executes. Microsoft Exchange Server is an enterprise messaging platform exposing SMTP, OWA, EWS, MAPI/HTTP, and PowerShell remoting endpoints, any of which can become an injection surface when input parsers feed values into dynamic code paths such as scripting engines, deserializers, or template processors. The references point only to Microsoft's MSRC update guide entry, and no specific subsystem or affected build is enumerated in the supplied data, but CWE-94 in Exchange historically maps to PowerShell, .NET deserialization, or transport-rule expression evaluation paths.
RemediationAI
No vendor-released patch version is identified in the supplied data, so the primary action is to consult Microsoft's MSRC update guide entry at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45583 and apply the security update or cumulative update Microsoft lists for each affected Exchange Server build as soon as it is published. Until patching, restrict external exposure of OWA, ECP, EWS, and PowerShell remoting endpoints to VPN or trusted networks only (which will reduce remote attack surface but will also block legitimate remote users and mobile clients), enforce admin MFA and minimize the number of accounts that can interact with administrative web pages or open inbound mail attachments (since UI:R is part of the chain), and ensure Exchange anti-malware/transport scanning and EDR with Exchange-aware detections are enabled to flag suspicious child processes spawned by w3wp.exe, EdgeTransport.exe, or PowerShell.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35681
GHSA-2qq9-7ppw-4m9q