CVE-2026-45583: Microsoft Exchange Server Remote Code Execution Vulnerability
Improper control of generation of code ('code injection') in Microsoft Exchange Server allows an unauthorized attacker to execute code over a network.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 15.01.2507.069
- Affected Products
- 4
HarborGuard Analysis
Synopsis
Code injection vulnerability in Microsoft Exchange Server allows an unauthenticated remote attacker to execute arbitrary code on the server, provided the attacker can induce a user interaction step. The vulnerability is reachable over the network, requires no credentials, but does require victim interaction, and successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected system. Patched-image rebuilds at versions 15.01.2507.069, 15.02.1544.041, 15.02.1748.046, and 15.02.2562.043 are available on HarborGuard for environments running affected versions.
HarborGuard Coverage
Detection of CVE-2026-45583 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in registries and CI pipelines, including custom-built Exchange-derived images. Coverage extends to any image layer that carries an affected Exchange Server build, regardless of how it was constructed.
AvailableHarborGuard scores this finding at CVSS 7.5 HIGH and weights it against each environment's compliance policy, escalating findings that exceed configured thresholds. Triage routing directs the alert to the team inbox or ticketing integration configured for the affected workload inside each customer org.
AvailablePatched-image rebuilds at the four fix versions are available on HarborGuard for any environment found running an affected Exchange Server build. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the Exchange Server service over the network; there is no requirement for local or physical access.
- AuthenticationNot required
No credentials are needed; the attacker can interact with the service as an unauthenticated user.
- Victim interactionRequired
A user on the target system must perform some interaction (such as opening a crafted message or following a link) for the exploit to trigger.
- Attack complexityDetail
Attack complexity is high, meaning the attacker must satisfy specific conditions or timing constraints beyond simple delivery of a payload, making reliable exploitation harder to achieve.
Blast Radius
- The attacker executes arbitrary code in the context of the Exchange Server process, gaining the ability to read all mail data, attachments, and stored credentials accessible to that process.
- The attacker can write or modify mail items, configuration files, and any data the Exchange process has write access to on the host filesystem or database.
- The attacker can terminate or crash Exchange services, interrupting mail flow and causing denial of service for all users served by that instance.
- With code execution on the server, the attacker can pivot to adjacent internal systems reachable from the Exchange host.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication, matching all images in customer registries and pipelines against the affected version ranges for Exchange Server 2016 CU23, Exchange Server 2019 CU14, CU15, and Subscription Edition RTM. Patched rebuilds at versions 15.01.2507.069, 15.02.1544.041, 15.02.1748.046, and 15.02.2562.043 are available for any environment where an affected build is identified. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the appropriate fix version, runs regression tests, and opens a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual review before remediation, the finding is routed to the configured team inbox with full CVSS context and affected layer detail to support a rapid decision.
Fix available
- Microsoft / Microsoft Exchange Server 2016 Cumulative Update 23< 15.01.2507.069 (from 15.01.0.0)
- Microsoft / Microsoft Exchange Server 2019 Cumulative Update 14< 15.02.1544.041 (from 15.02.0.0)
- Microsoft / Microsoft Exchange Server 2019 Cumulative Update 15< 15.02.1748.046 (from 15.02.0.0)
- Microsoft / Microsoft Exchange Server Subscription Edition RTM< 15.02.2562.043 (from 15.02.0.0)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C