CVE-2026-55008
Microsoft Exchange Server Spoofing Vulnerability
Description
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
In plain language
AI Act nowCVE-2026-55008 is a serious web-page vulnerability in Microsoft Exchange Server that can be used to spoof what users see (tricking them into clicking or entering data). If your Exchange web access is reachable and users browse the Exchange login pages, you should act now—this is a RED-level issue.
CVE-2026-55008 is a cross-site scripting (XSS) flaw in Microsoft Exchange Server that can let an attacker inject malicious scripts into Exchange web pages, enabling spoofing of the Exchange interface in a user’s browser over the network.
What to do now
- Check your Exchange Server version and cumulative update level (for Exchange 2016 CU23, Exchange 2019 CU14/CU15, or Exchange Subscription Edition RTM).
- If you are on one of the affected versions, upgrade immediately to the fixed versions: 15.01.2507.071 (Exchange 2016 CU23), 15.02.1544.043 (Exchange 2019 CU14), 15.02.1748.048 (Exchange 2019 CU15), or 15.02.2562.045 (Exchange Subscription Edition RTM).
- After updating, test Exchange web access in a browser for basic login and mailbox navigation, then review web-related logs for unusual script or page-load errors.
- Restrict Exchange web exposure as much as possible (for example, ensure access is only through intended gateways/VPNs) until the update is applied.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:RUser InteractionS:CScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
2 techniquesReferences
- В июле Microsoft исправила рекордные 622 уязвимости в своих продуктахru-ru·Хакер (xakep.ru)· Source-only·
- Цунами уязвимостей: июльский Microsoft Patch Tuesdayru-ru·Kaspersky Daily (RU)· Summary only·
- Records Are Made to Be Broken: Patch Tuesday Raises Triage Stakesen·Dark Reading·
- Microsoft and Adobe Patch Tuesday, July 2026 Security Update Reviewen-us·Qualys Security Blog·
- Microsoft Patch Tuesday for July 2026 — Snort rules and prominent vulnerabilitiesen·Cisco Talos·
- Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attacken·The Hacker News·
- Microsoft Patch Tuesday July 2026 - The AI Acopolypse is Hereen·SANS Internet Storm Center·
- Microsoft Patches Record 622 Vulnerabilities, Including Two Exploited Zero-Daysen-us·SecurityWeek·
- Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-daysen-us·BleepingComputer·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-55008 and every CVE in our database. Create a free account — no credit card required.
Create Free Account