Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Authorized local attacker escalates privileges, so AV:L and PR:L with AC:L/UI:N; deserialization-driven code execution yields full C:H/I:H/A:H within unchanged scope.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Deserialization of untrusted data in Microsoft Exchange Server allows an authorized attacker to elevate privileges locally.
AnalysisAI
Local privilege escalation in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) allows an already-authenticated attacker with low privileges to elevate to higher privileges by abusing unsafe deserialization of untrusted data. Microsoft reported the flaw and has released a patch; no public exploit identified at time of analysis and it is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already possess low-level authenticated access to the affected Exchange host (PR:L) and local reach to the vulnerable process (AV:L), and to be running one of the affected on-premises builds: Exchange 2016 CU23, 2019 CU14, 2019 CU15, or Subscription Edition RTM. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H describes a local attack (AV:L) of low complexity (AC:L) requiring some existing low-level privileges (PR:L) and no user interaction, yielding high confidentiality, integrity, and availability impact within an unchanged scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who already holds a low-privileged authenticated foothold on an Exchange server - for example a compromised service account, a limited management-role user, or a follow-on stage after a separate remote bug - supplies a crafted serialized payload to a vulnerable Exchange deserialization path. Because the attack is local, low-complexity, and requires no user interaction, the malicious object graph is deserialized and abused to run code or operations at a higher privilege level, giving the attacker full control of the mail environment. … |
| Remediation | Patch available per vendor advisory: apply the Microsoft security update for your Exchange build as documented at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55009 - the exact patched CU/SU version was not included in the provided data, so pull the specific update package for Exchange 2016 CU23, 2019 CU14, 2019 CU15, or Subscription Edition RTM from the MSRC page and verify build numbers before deployment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all Exchange Server instances to identify those running Microsoft Exchange Server 2016 CU23, 2019 CU14/CU15, or Subscription Edition RTM. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cross-site scripting (XSS) in Microsoft Exchange Server enables remote attackers to spoof content and steal credentials
Stored/reflected cross-site scripting in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition
Remote code execution in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) lets an aut
Local privilege escalation in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) allows
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44027
GHSA-78c8-h6hm-94hg