CVE-2025-64666

CWE-20 — Improper Input Validation5 documents5 sources

Severity

7.5HIGH

EPSS

0.1%

top 72.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Microsoft Exchange Server 2016 Cumulative Update 23 Microsoft Microsoft Exchange Server 2019 Cumulative Update 14 Microsoft Microsoft Exchange Server 2019 Cumulative Update 15 +2 more

Timeline

PublishedDec 9

Description

Improper input validation in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages5 packages

▶NVDmicrosoft/exchange_server< 15.02.2562.035+2

▶CVEListV5microsoft/microsoft_exchange_server_subscription_edition_rtm15.02.0.0 — 15.02.2562.035

▶CVEListV5microsoft/microsoft_exchange_server_2016_cumulative_update_2315.01.0.0 — 15.01.2507.063

▶CVEListV5microsoft/microsoft_exchange_server_2019_cumulative_update_1415.02.0.0 — 15.02.1544.037

▶CVEListV5microsoft/microsoft_exchange_server_2019_cumulative_update_1515.02.0.0 — 15.02.1748.042

🔴Vulnerability Details

CVEList

Microsoft Exchange Server Elevation of Privilege Vulnerability↗2025-12-09

▶

GHSA

GHSA-mr7p-99h9-v459: Improper input validation in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network↗2025-12-09

▶

📋Vendor Advisories

Microsoft

Microsoft Exchange Server Elevation of Privilege Vulnerability↗2025-12-09

▶

🕵️Threat Intelligence

Wiz

CVE-2025-64666 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶