{ "document": { "acknowledgments": [ { "names": [ "Anonymous" ] } ], "aggregate_severity": { "namespace": "https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Public", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en-US", "notes": [ { "category": "general", "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle", "title": "Additional Resources" }, { "category": "legal_disclaimer", "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.", "title": "Disclaimer" }, { "category": "general", "text": "Required. The vulnerability documented by this CVE requires customer action to resolve.", "title": "Customer Action" } ], "publisher": { "category": "vendor", "contact_details": "secure@microsoft.com", "name": "Microsoft Security Response Center", "namespace": "https://msrc.microsoft.com" }, "references": [ { "category": "self", "summary": "CVE-2026-45583 Microsoft Exchange Server Remote Code Execution Vulnerability - HTML", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45583" }, { "category": "self", "summary": "CVE-2026-45583 Microsoft Exchange Server Remote Code Execution Vulnerability - CSAF", "url": "https://msrc.microsoft.com/csaf/advisories/2026/msrc_cve-2026-45583.json" }, { "category": "external", "summary": "Microsoft Exploitability Index", "url": "https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1" }, { "category": "external", "summary": "Microsoft Support Lifecycle", "url": "https://support.microsoft.com/lifecycle" }, { "category": "external", "summary": "Common Vulnerability Scoring System", "url": "https://www.first.org/cvss" } ], "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "tracking": { "current_release_date": "2026-06-09T07:00:00.000Z", "generator": { "date": "2026-06-18T21:22:25.909Z", "engine": { "name": "MSRC Generator", "version": "1.0" } }, "id": "msrc_CVE-2026-45583", "initial_release_date": "2026-06-09T07:00:00.000Z", "revision_history": [ { "date": "2026-06-09T07:00:00.000Z", "legacy_version": "1", "number": "1", "summary": "Information published." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_version_range", "name": "<15.01.2507.069", "product": { "name": "Microsoft Exchange Server 2016 Cumulative Update 23 <15.01.2507.069", "product_id": "4" } }, { "category": "product_version", "name": "15.01.2507.069", "product": { "name": "Microsoft Exchange Server 2016 Cumulative Update 23 15.01.2507.069", "product_id": "12039" } } ], "category": "product_name", "name": "Microsoft Exchange Server 2016 Cumulative Update 23" }, { "branches": [ { "category": "product_version_range", "name": "<15.02.1544.041", "product": { "name": "Microsoft Exchange Server 2019 Cumulative Update 14 <15.02.1544.041", "product_id": "3" } }, { "category": "product_version", "name": "15.02.1544.041", "product": { "name": "Microsoft Exchange Server 2019 Cumulative Update 14 15.02.1544.041", "product_id": "12293" } } ], "category": "product_name", "name": "Microsoft Exchange Server 2019 Cumulative Update 14" }, { "branches": [ { "category": "product_version_range", "name": "<15.02.1748.046", "product": { "name": "Microsoft Exchange Server 2019 Cumulative Update 15 <15.02.1748.046", "product_id": "2" } }, { "category": "product_version", "name": "15.02.1748.046", "product": { "name": "Microsoft Exchange Server 2019 Cumulative Update 15 15.02.1748.046", "product_id": "12502" } } ], "category": "product_name", "name": "Microsoft Exchange Server 2019 Cumulative Update 15" }, { "branches": [ { "category": "product_version_range", "name": "<15.02.2562.043", "product": { "name": "Microsoft Exchange Server Subscription Edition RTM <15.02.2562.043", "product_id": "1" } }, { "category": "product_version", "name": "15.02.2562.043", "product": { "name": "Microsoft Exchange Server Subscription Edition RTM 15.02.2562.043", "product_id": "16792" } } ], "category": "product_name", "name": "Microsoft Exchange Server Subscription Edition RTM" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-45583", "cwe": { "id": "CWE-94", "name": "Improper Control of Generation of Code ('Code Injection')" }, "notes": [ { "category": "general", "text": "Microsoft", "title": "Assigning CNA" }, { "category": "faq", "text": "Exploitation depends on an attacker being able to place themselves in a machine‑in‑the‑middle position on the network during use of the affected script. Because this requires specific network conditions that are not commonly present, the vulnerability is more difficult to exploit than issues that can be triggered directly.", "title": "According to the CVSS metric, the attack complexity is high (AC:H). What does this mean for this vulnerability?" }, { "category": "faq", "text": "An attacker who is able to intercept network traffic could interfere with the secure connection used by the Exchange migration script and inject malicious data. When the script is run during a hybrid migration, this could cause unintended commands to run on the on‑premises Exchange server with administrative permissions.", "title": "How could an attacker exploit this vulnerability?" }, { "category": "faq", "text": "Yes, Microsoft recommends that customers download and use the latest, fixed version of the Public Folder scripts. The versions of the Public Folder scripts included with Exchange Server are outdated and will be removed in a future update.\nCustomers can download the latest version of the Public Folder scripts here.", "title": "Is there anything to be done in addition to installing the June 2026 security updates for my Exchange Server?" } ], "product_status": { "fixed": [ "12039", "12293", "12502", "16792" ], "known_affected": [ "1", "2", "3", "4" ] }, "references": [ { "category": "self", "summary": "CVE-2026-45583 Microsoft Exchange Server Remote Code Execution Vulnerability - HTML", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45583" }, { "category": "self", "summary": "CVE-2026-45583 Microsoft Exchange Server Remote Code Execution Vulnerability - CSAF", "url": "https://msrc.microsoft.com/csaf/advisories/2026/msrc_cve-2026-45583.json" } ], "remediations": [ { "category": "vendor_fix", "date": "2026-06-09T07:00:00.000Z", "details": "15.01.2507.069:Security Update:https://support.microsoft.com/help/5094144", "product_ids": [ "4" ], "url": "https://support.microsoft.com/help/5094144" }, { "category": "vendor_fix", "date": "2026-06-09T07:00:00.000Z", "details": "15.02.1544.041:Security Update:https://support.microsoft.com/help/5094142", "product_ids": [ "3" ], "url": "https://support.microsoft.com/help/5094142" }, { "category": "vendor_fix", "date": "2026-06-09T07:00:00.000Z", "details": "15.02.1748.046:Security Update:https://support.microsoft.com/help/5094140", "product_ids": [ "2" ], "url": "https://support.microsoft.com/help/5094140" }, { "category": "vendor_fix", "date": "2026-06-09T07:00:00.000Z", "details": "15.02.2562.043:Security Update:https://support.microsoft.com/help/5094139", "product_ids": [ "1" ], "url": "https://support.microsoft.com/help/5094139" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "environmentalsScore": 0.0, "exploitCodeMaturity": "UNPROVEN", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "UNCHANGED", "temporalScore": 6.5, "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C", "version": "3.1" }, "products": [ "1", "2", "3", "4" ] } ], "threats": [ { "category": "impact", "details": "Remote Code Execution" }, { "category": "exploit_status", "details": "Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely" } ], "title": "Microsoft Exchange Server Remote Code Execution Vulnerability" } ] }