Microsoft Exchange Server Elevation of Privilege Flaws Prompt Repeated Patching
Microsoft has disclosed multiple elevation of privilege vulnerabilities affecting Microsoft Exchange Server, including CVE-2021-34470, CVE-2021-41348, CVE-2022-41123, and CVE-2025-64666, indicating a recurring security issue in the on-premises mail platform across several release cycles. The advisories show Exchange continued to receive fixes for privilege-escalation weaknesses over multiple years, with Microsoft publishing separate Security Update Guide entries as new flaws were identified.
Among the listed issues, Microsoft provided the most detail for CVE-2021-34470, rating it Important with a CVSS 3.0 score of 8.0 and describing it as requiring access from a logically adjacent network. Microsoft said the flaw required a schema change and was fixed for Exchange Server 2019 and Exchange Server 2016 in cumulative updates released on June 29, 2021; at initial publication, the company said it was not publicly disclosed, not exploited, and less likely to be exploited. A separate Microsoft advisory in the same reference set, CVE-2026-26128, affects the Windows SMB Server rather than Exchange and also involves elevation of privilege.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes CVE-2026-26128 advisory for Windows SMB Server
Microsoft published a Security Update Guide entry for CVE-2026-26128, identified as a Windows SMB Server elevation of privilege vulnerability. No additional synopsis details were provided in the reference.
Microsoft publishes CVE-2025-64666 advisory for Exchange Server
Microsoft published a Security Update Guide entry for CVE-2025-64666, identified as a Microsoft Exchange Server elevation of privilege vulnerability. No additional synopsis details were provided in the reference.
Microsoft publishes CVE-2022-41123 advisory for Exchange Server
Microsoft published a Security Update Guide entry for CVE-2022-41123, identified as a Microsoft Exchange Server elevation of privilege vulnerability. No additional synopsis details were provided in the reference.
Microsoft publishes CVE-2021-41348 advisory for Exchange Server
Microsoft published a Security Update Guide entry for CVE-2021-41348, identified as a Microsoft Exchange Server elevation of privilege vulnerability. No additional synopsis details were provided in the reference.
Microsoft discloses CVE-2021-34470 for Exchange Server
Microsoft published advisory details for CVE-2021-34470, an Important Microsoft Exchange Server elevation of privilege vulnerability with a CVSS 3.0 score of 8.0. At disclosure, Microsoft assessed it as not publicly disclosed, not exploited, and less likely to be exploited.
Microsoft releases Exchange cumulative updates fixing CVE-2021-34470
Microsoft fixed the Microsoft Exchange Server elevation of privilege vulnerability CVE-2021-34470 in cumulative updates for Exchange Server 2019 and Exchange Server 2016. The fix required a schema change and was released as part of the June 29, 2021 cumulative updates.
Sources
5 references tracked. Mallory keeps watching after this page renders.
CVE-2026-26128 - Security Update Guide - Microsoft - Windows SMB Server Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-64666 - Security Update Guide - Microsoft - Microsoft Exchange Server Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2022-41123 - Security Update Guide - Microsoft - Microsoft Exchange Server Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2021-41348 - Security Update Guide - Microsoft - Microsoft Exchange Server Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2021-34470 - Security Update Guide - Microsoft - Microsoft Exchange Server Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Exchange Server Flaws Enabled Spoofing, Security Bypass, and SYSTEM-Level Access
Microsoft disclosed multiple vulnerabilities in on-premises **Exchange Server**, including **CVE-2021-31207** (security feature bypass), **CVE-2021-31209** (spoofing), and **CVE-2022-41040** (elevation of privilege). The issues affected Exchange deployments rather than **Exchange Online**, extending a pattern of high-impact weaknesses in the mail platform that could undermine trust boundaries, enable impersonation, and weaken built-in protections. Among them, **CVE-2022-41040** was rated **Critical** with a **CVSS 3.1 score of 8.8**, and Microsoft said exploitation had been detected in the wild before public disclosure. The flaw required an authenticated attacker with low privileges and no user interaction, and successful exploitation could allow the attacker to run **PowerShell** as **`SYSTEM`**. Microsoft later released security updates and directed Exchange Server customers to apply mitigations and patches for the reported zero-day issues.
May 25, 2026
Multiple Microsoft Exchange Server RCE Flaws Patched Across Supported Releases
Microsoft published security advisories for several **Microsoft Exchange Server remote code execution** vulnerabilities, including `CVE-2021-26427`, `CVE-2022-21969`, `CVE-2022-23277`, and `CVE-2023-36778`. The flaws affect on-premises Exchange Server deployments and were addressed through Microsoft's Security Update Guide, indicating a recurring pattern of high-impact code-execution risk in a core enterprise messaging platform. The advisories show Microsoft issuing fixes over multiple release cycles for distinct Exchange Server RCE bugs rather than a single isolated defect. For defenders, the immediate implication is to verify that all supported Exchange Server instances have the relevant cumulative and security updates applied, because unpatched mail servers remain a high-value target due to their internet exposure, privileged position in enterprise environments, and history of exploitation by threat actors.
May 25, 2026
Microsoft Patches Exchange Server RCE Vulnerability CVE-2021-31196
Microsoft disclosed and patched **CVE-2021-31196**, a remote code execution vulnerability in **Microsoft Exchange Server**. The company rated the flaw **Important** and assigned it a **CVSS 3.0 score of 7.2**, with the vector `AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H`, indicating the issue is reachable over the network, requires no user interaction, and could lead to high impact across confidentiality, integrity, and availability if successfully exploited. Microsoft said the vulnerability required **high privileges**, assessed exploitation as **less likely**, and reported that exploit code was **unproven** and that the flaw was **not publicly disclosed or actively exploited** at the time of publication. An official security update was made available through the Microsoft Security Response Center, and Microsoft credited **Orange Tsai of DEVCORE** with reporting the issue.
May 25, 2026