CVE-2026-55008 – Microsoft Exchange Server Spoofing Vulnerability

CVSS 9.6 CRITICAL Critical or Zero Day – Immediate Deployment

“A single malicious email can become far more dangerous when trusted webmail sessions execute attacker-controlled code.”

A cross-site scripting (XSS) vulnerability in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over the network. An attacker can send a specially crafted email that, if opened in Outlook Web Access (OWA) and certain conditions are met, causes arbitrary JavaScript to execute within the user’s browser session. Microsoft has released security updates for supported Exchange Server versions.

CVSS Score: 9.6

SEVERITY: Critical

THREAT:
This vulnerability affects Microsoft Exchange Server by allowing an attacker to exploit improper neutralization of web page input. A specially crafted email can trigger JavaScript execution when viewed through Outlook Web Access, enabling spoofing attacks within the user’s browser context. Because the vulnerability has a Changed scope, successful exploitation can affect resources beyond the vulnerable component, increasing the overall security impact.

EXPLOITS:
At the time of publication, the vulnerability has not been publicly disclosed and Microsoft has not detected active exploitation. Microsoft assesses exploitation as more likely. The CVSS v3.1 temporal metrics list exploit code maturity as Unproven, and the provided information does not confirm the existence of publicly available proof-of-concept exploit code.

TECHNICAL SUMMARY:
The vulnerability is caused by improper neutralization of input during web page generation (Cross-site Scripting) (CWE-79) in Microsoft Exchange Server. An attacker can send a specially crafted malicious email that, when opened in Outlook Web Access, causes arbitrary JavaScript to execute within the browser context if certain conditions are met. This can enable spoofing attacks and compromise the confidentiality, integrity, and availability of affected sessions. The Changed scope indicates that successful exploitation can impact resources outside the original security boundary.

EXPLOITABILITY:
Affected products include Microsoft Exchange Server 2016 Cumulative Update 23, Microsoft Exchange Server 2019 Cumulative Updates 14 and 15, and Microsoft Exchange Server Subscription Edition RTM. Exploitation is performed over the network, requires no attacker privileges, but does require user interaction, specifically opening a specially crafted email in Outlook Web Access.

BUSINESS IMPACT:
Microsoft Exchange Server is a critical communication platform in many organizations. Successful exploitation could allow attackers to impersonate trusted content, execute malicious JavaScript within user sessions, access sensitive information, manipulate webmail interactions, and potentially facilitate additional attacks against users and enterprise systems. Organizations with internet-accessible Outlook Web Access deployments should prioritize remediation.

WORKAROUND:
No mitigations or workarounds are available. Microsoft recommends installing the appropriate security updates for affected Exchange Server versions.

URGENCY:
This vulnerability should be deployed urgently because it is rated Critical with a CVSS v3.1 base score of 9.6. Although Microsoft has not detected active exploitation, it assesses exploitation as more likely. The combination of network-based exploitation, high potential impact, and the widespread use of Exchange Server makes prompt patching essential.

Key Details

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
CWE Classification
CWE-79
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.