Skip to main content

Microsoft Exchange Server CVE-2026-55009

| EUVDEUVD-2026-44027 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-07-14 microsoft GHSA-78c8-h6hm-94hg
7.8
CVSS 3.1 · Vendor: microsoft
Share

Severity by source

Vendor (microsoft) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
vuln.today AI
7.8 HIGH

Authorized local attacker escalates privileges, so AV:L and PR:L with AC:L/UI:N; deserialization-driven code execution yields full C:H/I:H/A:H within unchanged scope.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 17:58 vuln.today
CVE Published
Jul 14, 2026 - 17:05 nvd
HIGH 7.8

DescriptionCVE.org

Deserialization of untrusted data in Microsoft Exchange Server allows an authorized attacker to elevate privileges locally.

AnalysisAI

Local privilege escalation in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) allows an already-authenticated attacker with low privileges to elevate to higher privileges by abusing unsafe deserialization of untrusted data. Microsoft reported the flaw and has released a patch; no public exploit identified at time of analysis and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-priv foothold on Exchange host
Delivery
Craft malicious serialized payload
Exploit
Submit to vulnerable deserialization path
Execution
Trigger CWE-502 gadget execution
Persist
Elevate to higher privileges
Impact
Full control of mail server

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already possess low-level authenticated access to the affected Exchange host (PR:L) and local reach to the vulnerable process (AV:L), and to be running one of the affected on-premises builds: Exchange 2016 CU23, 2019 CU14, 2019 CU15, or Subscription Edition RTM. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H describes a local attack (AV:L) of low complexity (AC:L) requiring some existing low-level privileges (PR:L) and no user interaction, yielding high confidentiality, integrity, and availability impact within an unchanged scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who already holds a low-privileged authenticated foothold on an Exchange server - for example a compromised service account, a limited management-role user, or a follow-on stage after a separate remote bug - supplies a crafted serialized payload to a vulnerable Exchange deserialization path. Because the attack is local, low-complexity, and requires no user interaction, the malicious object graph is deserialized and abused to run code or operations at a higher privilege level, giving the attacker full control of the mail environment. …
Remediation Patch available per vendor advisory: apply the Microsoft security update for your Exchange build as documented at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55009 - the exact patched CU/SU version was not included in the provided data, so pull the specific update package for Exchange 2016 CU23, 2019 CU14, 2019 CU15, or Subscription Edition RTM from the MSRC page and verify build numbers before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all Exchange Server instances to identify those running Microsoft Exchange Server 2016 CU23, 2019 CU14/CU15, or Subscription Edition RTM. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55009 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy