Exchange Server
by Microsoft
CVEs (233)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-21529 | Hig | 0.77 | 8.8 | 0.62 | KEV | Feb 14, 2023 | Microsoft Exchange Server Remote Code Execution Vulnerability | |
| CVE-2017-8540 | Hig | 0.71 | 7.8 | 0.72 | KEV | May 26, 2017 | The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server… | |
| CVE-2018-8302 | Cri | 0.66 | 9.8 | 0.26 | Aug 15, 2018 | A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka "Microsoft Exchange Memory Corruption Vulnerability." This affects Microsoft Exchange Server. | ||
| CVE-2026-42897 | Hig | 0.65 | 8.1 | 0.06 | KEV | May 14, 2026 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | |
| CVE-2018-8154 | Cri | 0.65 | 9.8 | 0.22 | May 9, 2018 | A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka "Microsoft Exchange Memory Corruption Vulnerability." This affects Microsoft Exchange Server. This CVE ID is unique from CVE-2018-8151. | ||
| CVE-2018-0986 | Hig | 0.65 | 8.8 | 0.61 | Apr 4, 2018 | A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption, aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability." This affects Windows Defender,… | ||
| CVE-2026-45504 | Hig | 0.57 | 8.8 | 0.00 | Jun 9, 2026 | Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network. | ||
| CVE-2025-59249 | Hig | 0.57 | 8.8 | 0.01 | Oct 14, 2025 | Weak authentication in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network. | ||
| CVE-2018-16793 | Hig | 0.57 | 8.6 | 0.11 | Sep 21, 2018 | Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions has an SSRF vulnerability via the username parameter in /owa/auth/logon.aspx in the OWA (Outlook Web Access) login page. | ||
| CVE-2025-53782 | Hig | 0.55 | 8.4 | 0.00 | Oct 14, 2025 | Incorrect implementation of authentication algorithm in Microsoft Exchange Server allows an unauthorized attacker to elevate privileges locally. | ||
| CVE-2026-47631 | Hig | 0.53 | 8.1 | 0.00 | Jun 9, 2026 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | ||
| CVE-2026-45503 | Hig | 0.53 | 8.1 | 0.00 | Jun 9, 2026 | Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network. | ||
| CVE-2017-11932 | Hig | 0.53 | 8.1 | 0.06 | Dec 12, 2017 | Microsoft Exchange Server 2016 CU5 and Microsoft Exchange Server 2016 CU5 allow a spoofing vulnerability due to the way Outlook Web Access (OWA) validates web requests, aka "Microsoft Exchange Spoofing Vulnerability". | ||
| CVE-2017-11937 | Hig | 0.53 | 7.8 | 0.28 | Dec 7, 2017 | The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Windows 7 SP1, Windows 8.1, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, 1709 and Windows Server 2016, Windows Server, version 1709, Microsoft Exchange Server 2013 and… | ||
| CVE-2025-53786 | Hig | 0.52 | 8.0 | 0.07 | Aug 6, 2025 | On April 18th 2025, Microsoft announced Exchange Server Security Changes for Hybrid Deployments and accompanying non-security Hot Fix. Microsoft made these changes in the general interest of improving the security of hybrid Exchange deployments. Following further investigation,… | ||
| CVE-2018-8265 | Hig | 0.52 | 7.8 | 0.20 | Oct 10, 2018 | A remote code execution vulnerability exists in the way Microsoft Exchange software parses specially crafted email messages, aka "Microsoft Exchange Remote Code Execution Vulnerability." This affects Microsoft Exchange Server. | ||
| CVE-2017-11940 | Hig | 0.52 | 7.8 | 0.20 | Dec 8, 2017 | The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Windows 7 SP1, Windows 8.1, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, 1709 and Windows Server 2016, Windows Server, version 1709, Microsoft Exchange Server 2013 and… | ||
| CVE-2026-45583 | Hig | 0.49 | 7.5 | 0.00 | Jun 9, 2026 | Improper control of generation of code ('code injection') in Microsoft Exchange Server allows an unauthorized attacker to execute code over a network. | ||
| CVE-2025-64666 | Hig | 0.49 | 7.5 | 0.01 | Dec 9, 2025 | Improper input validation in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network. | ||
| CVE-2025-59248 | Hig | 0.49 | 7.5 | 0.01 | Oct 14, 2025 | Improper input validation in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. |
- risk 0.77cvss 8.8epss 0.62
Microsoft Exchange Server Remote Code Execution Vulnerability
- risk 0.71cvss 7.8epss 0.72
The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server…
- risk 0.66cvss 9.8epss 0.26
A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka "Microsoft Exchange Memory Corruption Vulnerability." This affects Microsoft Exchange Server.
- risk 0.65cvss 8.1epss 0.06
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
- risk 0.65cvss 9.8epss 0.22
A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka "Microsoft Exchange Memory Corruption Vulnerability." This affects Microsoft Exchange Server. This CVE ID is unique from CVE-2018-8151.
- risk 0.65cvss 8.8epss 0.61
A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption, aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability." This affects Windows Defender,…
- risk 0.57cvss 8.8epss 0.00
Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.
- risk 0.57cvss 8.8epss 0.01
Weak authentication in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.
- risk 0.57cvss 8.6epss 0.11
Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions has an SSRF vulnerability via the username parameter in /owa/auth/logon.aspx in the OWA (Outlook Web Access) login page.
- risk 0.55cvss 8.4epss 0.00
Incorrect implementation of authentication algorithm in Microsoft Exchange Server allows an unauthorized attacker to elevate privileges locally.
- risk 0.53cvss 8.1epss 0.00
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
- risk 0.53cvss 8.1epss 0.00
Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network.
- risk 0.53cvss 8.1epss 0.06
Microsoft Exchange Server 2016 CU5 and Microsoft Exchange Server 2016 CU5 allow a spoofing vulnerability due to the way Outlook Web Access (OWA) validates web requests, aka "Microsoft Exchange Spoofing Vulnerability".
- risk 0.53cvss 7.8epss 0.28
The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Windows 7 SP1, Windows 8.1, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, 1709 and Windows Server 2016, Windows Server, version 1709, Microsoft Exchange Server 2013 and…
- risk 0.52cvss 8.0epss 0.07
On April 18th 2025, Microsoft announced Exchange Server Security Changes for Hybrid Deployments and accompanying non-security Hot Fix. Microsoft made these changes in the general interest of improving the security of hybrid Exchange deployments. Following further investigation,…
- risk 0.52cvss 7.8epss 0.20
A remote code execution vulnerability exists in the way Microsoft Exchange software parses specially crafted email messages, aka "Microsoft Exchange Remote Code Execution Vulnerability." This affects Microsoft Exchange Server.
- risk 0.52cvss 7.8epss 0.20
The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Windows 7 SP1, Windows 8.1, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, 1709 and Windows Server 2016, Windows Server, version 1709, Microsoft Exchange Server 2013 and…
- risk 0.49cvss 7.5epss 0.00
Improper control of generation of code ('code injection') in Microsoft Exchange Server allows an unauthorized attacker to execute code over a network.
- risk 0.49cvss 7.5epss 0.01
Improper input validation in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.
- risk 0.49cvss 7.5epss 0.01
Improper input validation in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Page 1 of 12