Microsoft Exchange Server is a widely used enterprise email, calendaring, and collaboration platform developed by Microsoft, designed to help organizations manage email, contacts, calendars, and tasks efficiently while supporting secure communication and integration with other Microsoft services. Due to its critical role in business operations and the sensitive information it handles, Exchange Server is a frequent target for cyberattacks, with vulnerabilities potentially leading to data breaches, unauthorized access, and system compromise.
This page provides a comprehensive, regularly updated list of significant Microsoft Exchange Server security vulnerabilities, each linked to its official CVE report at Microsoft’s Security Response Center. The aim is to help IT professionals, administrators, and security teams quickly identify, assess, and address known threats to ensure their Exchange environments remain secure.
Exchange Server Vulnerabilities for 2024
| CVE | Description | Released | Severity | Actively Exploited |
|---|---|---|---|---|
| CVE-2024-49040 | A high-severity spoofing vulnerability affecting Microsoft Exchange Server that allows attackers to forge legitimate senders on incoming emails. Microsoft Exchange Server Spoofing Vulnerability. | 2024-11-12 | 7.5 | |
| CVE-2024-26198 | A high-severity remote code execution vulnerability in Microsoft Exchange Server that allows attackers to execute arbitrary code by exploiting an untrusted search path, potentially leading to full system compromise if a user is tricked into opening a malicious file or email. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2024-03-12 | 8.8 | |
| CVE-2024-21410 | The vulnerability allows attackers to perform privilege escalation attacks by exploiting NTLM credential leaking in clients like Outlook. Microsoft Exchange Server Elevation of Privilege Vulnerability. Details: CVE-2024-21410. | 2024-02-13 | 9.8 | ⚠️ |
Exchange Server Vulnerabilities for 2023
| CVE | Description | Released | Severity | Actively Exploited |
|---|---|---|---|---|
| CVE-023-36439 | A high-severity vulnerability in Microsoft Exchange Server that allows remote attackers to execute arbitrary code via improper deserialization, potentially compromising the affected system. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2023-11-14 | 8.0 | |
| CVE-2023-36050 | A high-severity vulnerability in Microsoft Exchange Server that allows unauthenticated attackers to spoof email addresses by exploiting improper handling of email addresses during delivery, potentially enabling phishing attacks. Microsoft Exchange Server Spoofing Vulnerability. | 2023-11-14 | 8.0 | |
| CVE-2023-36039 | A high-severity vulnerability in Microsoft Exchange Server that allows an unauthenticated attacker to perform email spoofing by manipulating email header information, potentially tricking recipients into revealing sensitive information or downloading malware. Microsoft Exchange Server Spoofing Vulnerability. | 2023-11-14 | 8.0 | |
| CVE-2023-36035 | A high-severity vulnerability in Microsoft Exchange Server that allows unauthenticated attackers to spoof emails by exploiting improper validation of email addresses during external message delivery, potentially enabling phishing attacks. Microsoft Exchange Server Spoofing Vulnerability. | 2023-11-14 | 8.0 | |
| CVE-2023-36778 | A high-severity vulnerability in Microsoft Exchange Server that allows a remote authenticated attacker to execute arbitrary code on the affected system, potentially leading to full system compromise. Microsoft Exchange Server Remote Code Execution Vulnerability | 2023-10-10 | 8.0 | |
| CVE-2023-36777 | An information disclosure vulnerability in Microsoft Exchange Server that allows authenticated attackers with LAN access to read sensitive file content from the server, potentially leading to data leaks if not patched. Microsoft Exchange Server Information Disclosure Vulnerability. | 2023-09-12 | 5.7 | |
| CVE-2023-36757 | A high-severity vulnerability in Microsoft Exchange Server that allows authenticated attackers to cause a denial-of-service condition by exploiting improper deserialization of untrusted data in the ExFileLog class. Microsoft Exchange Server Spoofing Vulnerability. | 2023-09-12 | 8.0 | |
| CVE-2023-36756 | a high-severity vulnerability in Microsoft Exchange Server that allows authenticated attackers to achieve remote code execution by exploiting improper deserialization of untrusted data, potentially enabling them to upload a web shell and fully compromise the server. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2023-09-12 | 8.0 | |
| CVE-2023-36745 | A high-severity remote code execution vulnerability in Microsoft Exchange Server that allows an unauthenticated attacker with LAN access to execute arbitrary code on the server by exploiting improper deserialization of untrusted data, potentially leading to full system compromise if left unpatched. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2023-09-12 | 8.0 | |
| CVE-2023-36744 | A high-severity remote code execution vulnerability in Microsoft Exchange Server that allows authenticated attackers with LAN access to write arbitrary files to the server, which can be exploited as part of an attack chain to execute malicious code and potentially fully compromise the system. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2023-09-12 | 8.0 | |
| CVE-2023-38185 | A high-severity remote code execution vulnerability in Microsoft Exchange Server that allows authenticated attackers to execute arbitrary code on the server, potentially by sending specially crafted emails or attachments, and poses a significant risk of unauthorized access and system compromise if left unpatched. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2023-08-08 | 8.8 | |
| CVE-2023-38182 | A remote code execution vulnerability in Microsoft Exchange Server that allows an authenticated attacker on the same intranet to execute arbitrary code via a PowerShell remoting session, potentially leading to full system compromise. Microsoft Exchange Server Remote Code Execution Vulnerability | 2023-08-08 | 8.0 | |
| CVE-2023-38181 | High-severity spoofing vulnerability in Microsoft Exchange Server that allows authenticated attackers to manipulate email headers and potentially retrieve Net-NTLMv2 hashes via PowerShell remoting, increasing the risk of phishing and credential compromise. Microsoft Exchange Server Spoofing Vulnerability. | 2023-08-08 | 8.8 | |
| CVE-2023-35388 | A high-severity remote code execution vulnerability in Microsoft Exchange Server 2016 and 2019 that allows authenticated attackers with LAN access to execute arbitrary code on the server via a PowerShell remoting session. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2023-08-08 | 8.0 | |
| CVE-2023-35368 | High-severity remote code execution vulnerability in Microsoft Exchange Server 2016 and 2019 that allows attackers to execute arbitrary code on affected servers without user interaction by exploiting improper input validation, potentially leading to full system compromise. Microsoft Exchange Remote Code Execution Vulnerability. | 2023-08-08 | 8.8 | |
| CVE-2023-21709 | Critical elevation of privilege vulnerability affecting Microsoft Exchange Server. The vulnerability allows unauthenticated attackers to perform brute force attacks against valid user accounts, potentially leading to unauthorized logins and privilege escalation. | 2023-08-08 | 9.8 | |
| CVE-2023-32031 | High-severity remote code execution vulnerability in Microsoft Exchange Server 2016 and 2019 that allows authenticated attackers to execute arbitrary code on the server by exploiting improper deserialization of untrusted data, potentially leading to full system compromise. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2023-06-14 | 8.8 | |
| CVE-2023-28310 | A high-severity remote code execution vulnerability in Microsoft Exchange Server that allows authenticated attackers with LAN access to execute arbitrary code via a PowerShell remoting session, potentially leading to unauthorized access or data theft. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2023-06-14 | 8.0 | |
| CVE-2023-21710 | A remote code execution vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows authenticated attackers to execute arbitrary code on the server as SYSTEM by sending specially crafted requests, potentially leading to full system compromise if left unpatched. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2023-02-14 | 7.2 | |
| CVE-2023-21706 | High-severity remote code execution vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows authenticated attackers to execute arbitrary code on the server by exploiting improper deserialization of untrusted data, potentially leading to full system compromise. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2023-02-14 | 8.8 | |
| CVE-2023-21707 | A high-severity remote code execution vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows authenticated attackers to execute arbitrary code on the server by exploiting improper deserialization of untrusted data. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2023-02-14 | 8.8 | |
| CVE-2023-21529 | High-severity remote code execution vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows authenticated attackers to execute arbitrary code on the server by exploiting improper deserialization of untrusted data, potentially leading to full system compromise . Microsoft Exchange Server Remote Code Execution Vulnerability. | 2023-02-14 | 8.8 | |
| CVE-2023-21762 | A critical out-of-bounds write vulnerability in the SSL-VPN daemon (sslvpnd) of Fortinet FortiOS and FortiProxy products that allows unauthenticated remote attackers to execute arbitrary code or commands, potentially leading to complete system compromise, and has been actively exploited in the wild, prompting urgent recommendations to patch or disable SSL VPN functionality until remediation is applied. Microsoft Exchange Server Spoofing Vulnerability. | 2023-01-10 | 8.0 | ⚠️ |
| CVE-2023-21763 | An elevation of privilege vulnerability in Microsoft Exchange Server that allows authenticated attackers to gain SYSTEM-level privileges, potentially enabling unauthorized actions within the system. Microsoft Exchange Server Elevation of Privilege Vulnerability. | 2023-01-10 | 7.8 | |
| CVE-2023-21764 | High-severity elevation of privilege vulnerability in Microsoft Exchange Server 2016 and 2019 that allows a local authenticated attacker to load a malicious DLL via an externally-supplied search path, potentially gaining SYSTEM-level privileges on the affected server. Microsoft Exchange Server Elevation of Privilege Vulnerability. | 2023-01-10 | 7.8 | |
| CVE-2023-21761 | High-severity information disclosure vulnerability in Microsoft Exchange Server 2016 and 2019 that allows remote, unauthenticated attackers to access sensitive information due to improper validation of requests, potentially exposing confidential data over the network. Microsoft Exchange Server Information Disclosure Vulnerability. | 2023-01-10 | 7.5 | |
| CVE-2023-21745 | A high-severity spoofing vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows attackers to impersonate users or services, potentially enabling phishing attacks or unauthorized access if left unpatched. Microsoft Exchange Server Spoofing Vulnerability. | 2023-01-10 | 8.0 |
Exchange Server Vulnerabilities for 2022
| CVE | Description | Released | Severity | Actively Exploited |
|---|---|---|---|---|
| CVE-2022-41123 | High-severity elevation of privilege vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows local authenticated attackers to gain elevated privileges on the system, potentially enabling unauthorized actions if left unpatched. Microsoft Exchange Server Elevation of Privilege Vulnerability | 2022-11-09 | 7.8 | |
| CVE-2022-41080 | A high-severity privilege escalation vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows authenticated attackers to elevate privileges and execute arbitrary code with SYSTEM rights, and can be combined with other vulnerabilities to bypass mitigations and achieve remote code execution. Microsoft Exchange Server Elevation of Privilege Vulnerability | 2022-11-09 | 9.8 | ⚠️ |
| CVE-2022-41079 | Spoofing vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows authenticated attackers to impersonate users or services by manipulating email or server responses, potentially enabling phishing or unauthorized access. Microsoft Exchange Server Spoofing Vulnerability | 2022-11-09 | 8.0 | |
| CVE-2022-41078 | High-severity spoofing vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows authenticated attackers to relay NTLM credentials, potentially enabling further attacks such as NTLM relay or impersonation if left unpatched. Microsoft Exchange Server Spoofing Vulnerability. | 2022-11-09 | 8.0 | |
| CVE-2022-41082 | A remote code execution vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows authenticated attackers to execute arbitrary code via PowerShell when combined with other vulnerabilities, potentially leading to full system compromise if left unpatched. Microsoft Exchange Server Remote Code Execution Vulnerability | 2022-10-03 | 8.0 | ⚠️ |
| CVE-2022-41040 | Server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows an authenticated attacker to remotely trigger subsequent vulnerabilities-such as remote code execution via CVE-2022-41082-potentially leading to full system compromise. Microsoft Exchange Server Elevation of Privilege Vulnerability. | 2022-10-03 | 8.8 | ⚠️ |
| CVE-2022-34692 | Medium-severity information disclosure vulnerability in Microsoft Exchange Server 2016 and 2019 that allows attackers to access sensitive data on affected systems, potentially compromising confidentiality if left unpatched. Microsoft Exchange Server Information Disclosure Vulnerability. | 2022-08-09 | 5.3 | |
| CVE-2022-30134 | Information disclosure vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows authenticated attackers to read targeted email messages without requiring elevated privileges. Microsoft Exchange Server Information Disclosure Vulnerability. | 2022-08-09 | 6.5 | |
| CVE-2022-24516 | A high-severity elevation of privilege vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows authenticated attackers to gain elevated privileges on the system by enticing a user to access a malicious server, potentially resulting in unauthorized access and control. Microsoft Exchange Server Elevation of Privilege Vulnerability. | 2022-08-09 | 8.0 | |
| CVE-2022-24477 | High-severity elevation of privilege vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that requires an authenticated user to be enticed into visiting a malicious server, potentially allowing an attacker to take over user mailboxes, send and read emails, and download attachments if successfully exploited. Microsoft Exchange Server Elevation of Privilege Vulnerability. | 2022-08-09 | 8.0 | |
| CVE-2022-21979 | A medium-severity information disclosure vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows authenticated attackers to access sensitive information stored on the server, potentially leading to privacy breaches and data exposure. Microsoft Exchange Server Information Disclosure Vulnerability. | 2022-08-09 | 5.7 | |
| CVE-2022-21980 | High-severity elevation of privilege vulnerability in Microsoft Exchange Server 2016 and 2019 that requires an authenticated user to visit a malicious server, potentially allowing an attacker to gain elevated privileges and take control of Exchange resources. Microsoft Exchange Server Elevation of Privilege Vulnerability. | 2022-08-09 | 8.0 | |
| CVE-2022-21978 | A high-severity elevation of privilege vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows attackers with elevated privileges on the Exchange server to gain Domain Administrator rights, potentially leading to full domain compromise. Microsoft Exchange Server Elevation of Privilege Vulnerability. | 2022-05-10 | 8.2 | |
| CVE-2022-24463 | Spoofing vulnerability in Microsoft Exchange Server 2016 and 2019 that allows authenticated attackers to make specially crafted network calls, potentially causing the server to disclose files by parsing HTTP requests to attacker-controlled servers. Microsoft Exchange Server Spoofing Vulnerability. | 2022-03-09 | 6.5 | |
| CVE-2022-23277 | A critical remote code execution vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows authenticated attackers with low privileges to execute arbitrary code on the server by exploiting insecure deserialization, potentially leading to full system compromise if left unpatched. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2022-03-09 | 8.8 | ⚠️ |
| CVE-2022-21969 | Critical remote code execution vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows attackers with adjacent network access and low privileges to execute arbitrary code on the server. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2022-01-11 | 9.0 | |
| CVE-2022-21855 | A remote code execution vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows authenticated attackers with adjacent network access to execute arbitrary code on the server. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2022-01-11 | 9.0 | |
| CVE-2022-21846 | Critical remote code execution vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows attackers with adjacent network access and low privileges to execute arbitrary code on the server. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2022-01-11 | 9.0 |
Exchange Server Vulnerabilities for 2021
| CVE | Description | Released | Severity | Actively Exploited |
|---|---|---|---|---|
| CVE-2021-42321 | High-severity post-authentication remote code execution vulnerability in Microsoft Exchange Server 2016 and 2019 that allows authenticated attackers to execute arbitrary code on the server by exploiting improper validation of cmdlet arguments, and has been actively exploited in targeted attacks. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2021-11-10 | 8.8 | ⚠️ |
| CVE-2021-42305 | Medium-severity spoofing vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows remote attackers to impersonate users or services by exploiting improper validation of email or server responses, potentially enabling phishing or unauthorized access if left unpatched. Microsoft Exchange Server Spoofing Vulnerability. | 2021-11-10 | 6.5 | |
| CVE-2021-41349 | Medium-severity spoofing vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows attackers to perform reflected cross-site scripting (XSS) attacks, potentially enabling DOM manipulation, email access, phishing, and other state-changing actions within the application. Microsoft Exchange Server Spoofing Vulnerability. | 2021-11-10 | 6.5 | |
| CVE-2021-41348 | High-severity elevation of privilege vulnerability in Microsoft Exchange Server 2016 and 2019 that allows authenticated attackers with adjacent network access to escalate privileges on vulnerable Exchange servers, potentially enabling unauthorized actions. Microsoft Exchange Server Elevation of Privilege Vulnerability. | 2021-10-13 | 8.0 | |
| CVE-2021-41350 | Medium-severity spoofing vulnerability in Microsoft Exchange Server 2016 and 2019 that allows remote attackers to impersonate users or services by exploiting improper validation, potentially enabling phishing or unauthorized access. Microsoft Exchange Server Spoofing Vulnerability. | 2021-10-13 | 6.5 | |
| CVE-2021-34453 | A denial of service vulnerability in Microsoft Exchange Server 2016 and 2019 that allows remote attackers to disrupt server availability by sending specially crafted requests, potentially causing the service to become unavailable. Microsoft Exchange Server Denial of Service Vulnerability. | 2021-10-13 | 7.5 | |
| CVE-2021-26427 | Critical remote code execution vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows unauthenticated attackers on the same local network to execute arbitrary code with SYSTEM privileges, potentially leading to complete system compromise. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2021-10-13 | 9.6 | |
| CVE-2021-34523 | A critical elevation of privilege vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows remote attackers to gain SYSTEM-level access and execute arbitrary commands as part of the ProxyShell exploit chain, has been actively exploited in the wild, and can lead to full server compromise if left unpatched. Microsoft Exchange Server Elevation of Privilege Vulnerability. | 2021-07-14 | 9.8 | ⚠️ |
| CVE-2021-34473 | Critical pre-authentication remote code execution vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows unauthenticated attackers to execute arbitrary code on the server via specially crafted requests, and has been widely exploited as part of the ProxyShell attack chain. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2021-07-14 | 10.0 | ⚠️ |
| CVE-2021-34470 | High-severity elevation of privilege vulnerability in Microsoft Exchange Server that allows attackers to exploit Active Directory schema misconfigurations to gain elevated privileges and unauthorized access, potentially leading to data breaches and further malicious activity if left unpatched. Microsoft Exchange Server Elevation of Privilege Vulnerability. | 2021-07-14 | 8.0 | |
| CVE-2021-33768 | High-severity elevation of privilege vulnerability in Microsoft Exchange Server that allows attackers with low privileges and adjacent network access to gain elevated permissions and potentially execute arbitrary code on the affected server. Microsoft Exchange Server Elevation of Privilege Vulnerability. | 2021-07-14 | 8.0 | |
| CVE-2021-33766 | Known as ProxyToken, is a high-severity authentication bypass vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows unauthenticated attackers to configure mailbox settings-including forwarding all emails to an attacker-controlled account-by exploiting improper authentication handling in the Exchange Front End proxy. Microsoft Exchange Server Information Disclosure Vulnerability. | 2021-07-14 | 7.5 | ⚠️ |
| CVE-2021-31196 | High-severity remote code execution vulnerability in Microsoft Exchange Server that allows authenticated attackers to execute arbitrary code on affected systems by sending crafted requests, potentially leading to data breaches and full system compromise. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2021-07-14 | 7.2 | ⚠️ |
| CVE-2021-31206 | High-severity remote code execution vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows remote attackers to execute arbitrary code on affected systems by exploiting flaws in archive file parsing, potentially leading to full system compromise. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2021-07-14 | 8.0 | |
| CVE-2021-31195 | Medium-severity reflected cross-site scripting (XSS) vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows remote attackers to execute arbitrary script code in a user’s browser via the refurl parameter in frowny.asp, potentially leading to session hijacking, data theft, or other malicious activities. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2021-05-11 | 8.8 | |
| CVE-2021-31207 | A security feature bypass vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that, when chained with other ProxyShell vulnerabilities, allows remote attackers to write files and execute arbitrary code on the server, and has been actively exploited in ransomware campaigns and other attacks. Microsoft Exchange Server Security Feature Bypass Vulnerability. | 2021-05-11 | 6.6 | ⚠️ |
| CVE-2021-31209 | Spoofing vulnerability in Microsoft Exchange Server that allows remote attackers to impersonate users or services by exploiting improper validation, potentially enabling phishing or unauthorized access if left unpatched. Microsoft Exchange Server Spoofing Vulnerability. | 2021-05-11 | 8.1 | |
| CVE-2021-31198 | High-severity remote code execution vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows remote, unauthenticated attackers to execute arbitrary code on affected systems by sending specially crafted requests, potentially leading to full system compromise. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2021-05-11 | 7.8 | |
| CVE-2021-28483 | Critical post-authentication remote code execution vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows authenticated attackers to execute arbitrary code on the server, potentially leading to full system compromise, and can be chained with pre-authentication vulnerabilities for greater impact. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2021-04-13 | 9.0 | |
| CVE-2021-28482 | High-severity post-authentication remote code execution vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows authenticated attackers to execute arbitrary code by exploiting a deserialization flaw in Outlook Web Access’s MeetingPollHandler.ashx, potentially leading to full system compromise if chained with pre-authentication vulnerabilities. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2021-04-13 | 9.0 | |
| CVE-2021-28481 | Critical pre-authentication remote code execution vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows unauthenticated attackers to execute arbitrary code on the server by sending specially crafted requests, potentially leading to persistent access and full enterprise network compromise. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2021-04-13 | 10.0 | |
| CVE-2021-28480 | Critical pre-authentication remote code execution vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows unauthenticated attackers to execute arbitrary code on the server by sending specially crafted requests, potentially enabling persistent access and full enterprise network compromise. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2021-04-13 | 10.0 | |
| CVE-2021-27065 | A post-authentication arbitrary file write vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows authenticated attackers to write files to any path on the server, leading to remote code execution and full system compromise, and has been actively exploited as part of the ProxyLogon attack chain. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2021-03-03 | 7.8 | ⚠️ |
| CVE-2021-26412 | Critical remote code execution vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows authenticated attackers to execute arbitrary code on the server, potentially leading to full system compromise. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2021-03-03 | 9.1 | |
| CVE-2021-26854 | A remote code execution vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows authenticated attackers to execute arbitrary code on the server. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2021-03-03 | 7.2 | |
| CVE-2021-26855 | Critical server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows unauthenticated remote attackers to bypass authentication, impersonate users, and gain access to mailboxes, often serving as the entry point for full system compromise in the ProxyLogon exploit chain. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2021-03-03 | 9.8 | ⚠️ |
| CVE-2021-26858 | Critical post-authentication arbitrary file write vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows authenticated attackers-often by chaining with other vulnerabilities like CVE-2021-26855-to write files to any path on the server, leading to remote code execution and full system compromise, and has been widely exploited in the wild as part of the ProxyLogon attack chain. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2021-03-03 | 7.8 | ⚠️ |
| CVE-2021-26854 | A remote code execution vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows authenticated attackers to execute arbitrary code on the server, potentially leading to full system compromise. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2021-03-03 | 7.2 | |
| CVE-2021-26412 | Critical remote code execution vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 that allows authenticated attackers to execute arbitrary code on the server. Microsoft Exchange Server Remote Code Execution Vulnerability. | 2021-03-03 | 9.1 | |
| CVE-2021-24085 | Medium-severity cross-site request forgery (CSRF) elevation of privilege vulnerability in Microsoft Exchange Server 2016 and 2019 that allows remote attackers to escalate privileges and potentially take over accounts by exploiting improper validation of CSRF tokens. Microsoft Exchange Server Spoofing Vulnerability. | 2021-02-25 | 6.5 | |
| CVE-2021-1730 | Spoofing vulnerability in Microsoft Exchange Server 2016 and 2019 that allows malicious actors to impersonate users by exploiting improper handling of inline image downloads in Outlook Web Access (OWA), and mitigation requires configuring separate download domains to prevent such attacks. Microsoft Exchange Server Spoofing Vulnerability. | 2021-02-25 | 5.8 |