HIGH 7.5

CVE-2026-45583: Microsoft Exchange Server Code Injection – HIGH Severity Remote Code Execution

Microsoft Exchange Server contains a code injection vulnerability that allows an attacker to execute arbitrary code on affected systems over the network. The vulnerability requires user interaction and moderately complex attack conditions, but successful exploitation could give an attacker complete control over the Exchange server and the email infrastructure it supports. This is a HIGH severity issue affecting multiple versions of Exchange Server and Exchange Server Subscription Edition.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-94
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Improper control of generation of code ('code injection') in Microsoft Exchange Server allows an unauthorized attacker to execute code over a network.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45583 is a code injection vulnerability (CWE-94) in Microsoft Exchange Server where improper input validation during code generation allows an unauthenticated, remote attacker to inject and execute malicious code. The attack vector is network-based with high attack complexity and requires user interaction, meaning the attacker must convince a user to perform a specific action. Once code execution is achieved, the attacker operates in the user's context. The CVSS 3.1 score of 7.5 reflects the HIGH severity due to potential compromise of confidentiality, integrity, and availability.

Business impact

Exchange Server is typically a critical component of organizational email and collaboration infrastructure. A successful exploitation could result in unauthorized access to email data, mailbox tampering, installation of persistent backdoors, or use of the compromised server as a pivot point into the internal network. The requirement for user interaction slightly limits the risk profile compared to fully automated exploits, but the potential impact on business continuity and data security remains substantial, particularly if Exchange Server processes sensitive communications or integrates with other business systems.

Affected systems

The vulnerability affects Microsoft Exchange Server across multiple versions and Microsoft Exchange Server Subscription Edition. Organizations running any version of Exchange Server should verify their specific deployment against Microsoft's official advisory to confirm whether their configuration is in scope. The attack requires network access to the affected Exchange infrastructure.

Exploitability

While the vulnerability is network-accessible without authentication, successful exploitation requires high attack complexity and user interaction—factors that reduce the likelihood of widespread automated attacks compared to vulnerabilities with lower barriers to exploitation. An attacker must craft a malicious payload and persuade a user to engage with it in a specific way. This does not eliminate the risk; it means that targeted attacks against specific organizations or individuals are more probable than indiscriminate worm-like propagation.

Remediation

Organizations should apply security updates released by Microsoft for affected Exchange Server versions without delay. Given the HIGH severity rating and code execution capability, this should be prioritized in your patch management process. Consult Microsoft's security advisory for specific patch version numbers and application procedures for your deployed Exchange versions. Organizations unable to patch immediately should implement network-level controls to restrict access to Exchange Server and monitor for suspicious behavior.

Patch guidance

Microsoft will release patches addressing this vulnerability. Visit the Microsoft Security Updates portal and search for CVE-2026-45583 or consult your exchange-specific security advisor for exact patch version numbers and availability. Patch application procedures vary by Exchange version (on-premises vs. Subscription Edition), so follow Microsoft's documented update process for your deployment. Test patches in a non-production environment before broad rollout.

Detection guidance

Monitor Exchange Server logs for unusual code generation activity, unexpected script execution, or process spawning from Exchange processes. Network-based detection should focus on identifying suspicious payloads sent to Exchange endpoints that might trigger code injection. Endpoint detection and response (EDR) tools monitoring Exchange Server processes can help identify post-exploitation activity. Organizations should review mailbox audit logs and transport logs for signs of unauthorized email forwarding or message manipulation that could indicate a compromised server.

Why prioritize this

This vulnerability merits immediate prioritization due to its HIGH CVSS score, code execution capability, and the criticality of Exchange Server infrastructure. Email systems are often targets for attackers seeking to establish persistence, access sensitive communications, or move laterally within networks. The requirement for user interaction provides a window for defensive measures but should not delay remediation planning.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects: network-accessible attack vector with no authentication required; high attack complexity and required user interaction that reduce immediate exposure; but complete impact on confidentiality, integrity, and availability if exploitation succeeds. The score appropriately captures that while the barrier to exploitation is moderate, the consequence is severe.

Frequently asked questions

Does this vulnerability allow unauthenticated remote code execution without any user interaction?

No. While the attack is network-based and requires no authentication, successful exploitation does require user interaction and relatively high attack complexity. An attacker cannot silently compromise Exchange Server; they must induce a user to perform a specific action. This is a lower-risk profile than fully unattended exploits but still requires prompt remediation.

Is this vulnerability actively exploited in the wild?

As of the vulnerability publication date (June 2026), this vulnerability was not yet listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting no confirmed active exploitation at that time. However, the severity and code execution capability mean it could become a target. Monitor threat intelligence feeds and CISA KEV updates for any changes to this status.

What is the difference between Exchange Server and Exchange Server Subscription Edition, and do both require patching?

Exchange Server typically refers to on-premises deployments, while Subscription Edition is a cloud-hosted or hybrid offering. Both versions are listed as affected by this vulnerability and should be patched according to their respective update mechanisms. Verify your deployment model and follow the appropriate Microsoft guidance for applying updates.

If we cannot patch immediately, what interim controls should we implement?

Restrict network access to Exchange Server to trusted internal networks and require multi-factor authentication for all remote connections. Enable detailed logging and monitoring of Exchange processes and mailbox activity. Implement network-based filtering to block suspicious payloads. These controls reduce risk but are not substitutes for patching; develop an aggressive patch deployment timeline.

This analysis is based on publicly available vulnerability data current as of the published date. Specific patch version numbers, detailed remediation procedures, and vendor-specific guidance should be verified directly with Microsoft's official security advisories. Exploit code or detailed attack methodology is intentionally not provided. Organizations should consult their security vendor and internal risk assessment policies when prioritizing remediation. This information is provided for educational and defensive purposes only. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).