HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47631Published Modified CNA microsoft

CVE-2026-47631: Microsoft Exchange Server Spoofing Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
15.01.2507.069
Affected Products
4

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Cross-site scripting (XSS) in Microsoft Exchange Server allows an unauthenticated network attacker to perform spoofing attacks against users who interact with a malicious link or crafted web content served by the Exchange web interface. The vulnerability stems from improper neutralization of user-supplied input during web page generation, meaning attacker-controlled content is rendered in the victim's browser without adequate sanitization. Successful exploitation lets an attacker impersonate trusted content or users, which can lead to credential theft, session hijacking, or unauthorized actions taken on behalf of the victim. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running an affected Exchange Server version.

HarborGuard Coverage

Detection

Detection of CVE-2026-47631 is available across every HarborGuard environment - the CVE is matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle or layer Microsoft Exchange Server components. Any image in a customer registry or CI/CD pipeline that falls within the affected version ranges is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 8.1 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Findings are directed to the appropriate team inbox within each customer organization based on configured ownership rules for the affected image or workload.

Available
Patch

Patched-image rebuilds at versions 15.01.2507.069, 15.02.1544.041, 15.02.1748.046, and 15.02.2562.043 (depending on the installed cumulative update track) become available on HarborGuard once upstream packages are resolvable. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Exchange Server's web interface over the network; AV:N means no local or physical access is required.

  • AuthenticationNot required

    No account or credentials are needed to deliver the malicious payload; PR:N confirms the attacker is entirely unauthenticated.

  • Victim interactionRequired

    A legitimate user must take an action such as clicking a crafted link or visiting a malicious page that triggers the injected script; UI:R reflects this social-engineering dependency.

  • Attack complexityDetail

    Attack complexity is low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

Blast Radius

  • Reads session tokens or authentication cookies from the victim's browser, enabling account takeover without knowing the victim's password.
  • Injects script that performs actions inside Exchange on behalf of the victim, such as forwarding emails or modifying mailbox rules.
  • Renders attacker-controlled content in the Exchange web interface, allowing convincing phishing pages served from a trusted domain.

How HarborGuard Handles This

Available on HarborGuard: detection against all four affected Exchange Server version ranges is active as soon as the CVE enters the upstream feed. For environments where images include Exchange Server components at the affected build levels, HarborGuard identifies the exposure and scores it at CVSS 8.1 HIGH. Where compliance policy permits auto-remediation, HarborGuard triggers a patched-image rebuild at the appropriate fix version (15.01.2507.069, 15.02.1544.041, 15.02.1748.046, or 15.02.2562.043 depending on the CU track), runs regression tests against the rebuilt image, and opens a pull request against affected workloads. For HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes for environments with auto-remediation enabled. Customers who manage remediation manually will find the full version-range detail and fix version references in the HarborGuard finding card for each affected image.

See how HarborGuard automates this

Fix available

15.01.2507.06915.02.1544.04115.02.1748.04615.02.2562.043
Patch commits
Affected packages
  • Microsoft / Microsoft Exchange Server 2016 Cumulative Update 23
    < 15.01.2507.069 (from 15.01.0.0)
  • Microsoft / Microsoft Exchange Server 2019 Cumulative Update 14
    < 15.02.1544.041 (from 15.02.0.0)
  • Microsoft / Microsoft Exchange Server 2019 Cumulative Update 15
    < 15.02.1748.046 (from 15.02.0.0)
  • Microsoft / Microsoft Exchange Server Subscription Edition RTM
    < 15.02.2562.043 (from 15.02.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
References