CVE-2026-55006 is a high-severity privilege-escalation vulnerability in Microsoft Exchange Server that can let an authenticated, low-privileged attacker take full control of a vulnerable server. Microsoft released fixes on July 14, 2026, covering Exchange Server 2016 CU23, Exchange Server 2019 CU14 and CU15, and Exchange Server Subscription Edition RTM.
Detailed in Microsoft’s Security Update Guide and included in the July 2026 Patch Tuesday release, the flaw carries a CVSS 3.1 base score of 7.8. Microsoft classifies it as Important rather than Critical because exploitation requires local access and existing privileges, but a successful attack can have a high impact on confidentiality, integrity, and availability.
Microsoft says the underlying weakness is insufficient granularity of access control, tracked as CWE-1220. In practical terms, Exchange does not enforce sufficiently precise permissions around an affected operation, allowing an authorized user to cross a security boundary that should have constrained the account.
Administrators should install the July Exchange security updates rather than treating the local attack vector as a reason to postpone deployment.
The CVSS vector for CVE-2026-55006 is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Exploitation requires local access and low privileges, but Microsoft rates the attack complexity as low and says no interaction from another user is necessary.
That makes CVE-2026-55006 different from an unauthenticated Exchange vulnerability that can be attacked directly through Outlook on the web or another Internet-facing service. An attacker cannot, based on Microsoft’s published assessment, simply send a request from anywhere on the Internet and immediately obtain administrative control.
The distinction should not be mistaken for limited impact. Exchange servers are high-value systems holding mailboxes, address data, authentication-related configuration, transport rules, connectors, and often privileged access to other parts of an organization. An attacker who has already obtained a low-privileged foothold may use CVE-2026-55006 to turn that initial access into broader control.
Microsoft assigns High impact ratings to all three affected security properties:
Administrators should verify the actual Exchange build rather than relying on a server’s cumulative-update name alone. A machine reporting Exchange Server 2019 CU15, for example, is still vulnerable if its installed build predates 15.2.1748.48.
That detail matters in environments where cumulative updates and security updates are tracked separately. Inventory platforms may show the correct CU while overlooking a missing security update layered on top of it.
Exchange Server Subscription Edition is not exempt simply because it is Microsoft’s current on-premises release. The affected range includes Subscription Edition RTM builds earlier than 15.2.2562.45, so organizations that recently moved to the new servicing model still need to check deployment status.
Before installation, administrators should confirm that Exchange prerequisites and previous required updates are present, take a recoverable configuration backup, and review database availability group health. After installation, verify the Exchange services, transport queues, database mounts, Outlook on the web, and mail flow rather than treating a successful installer exit code as the end of the change.
Report confidence does not measure severity by itself, nor does it indicate that attackers are already exploiting the flaw. It answers a narrower question: how certain is the vendor that the reported condition is real and technically credible?
Microsoft’s temporal CVSS data identifies exploit-code maturity as unproven, remediation as an official fix, and report confidence as confirmed. The July review from the Zero Day Initiative likewise lists CVE-2026-55006 as neither publicly disclosed nor exploited at release time.
That combination gives defenders useful prioritization context. There was no public proof-of-concept or known in-the-wild exploitation when Microsoft published the advisory on July 14, but the low attack complexity and complete impact profile make delayed patching difficult to justify on exposed or business-critical Exchange infrastructure.
The need for existing access narrows the immediate attacker population. It does not eliminate risk from compromised user accounts, malicious insiders, service-account abuse, web shells introduced through another vulnerability, or attackers who have gained execution through phishing and lateral movement.
Once security updates become available, reverse engineering also begins. Attackers can compare patched and unpatched Exchange binaries or configuration behavior to identify the corrected access-control path, potentially reducing the time required to develop a working exploit.
A practical response to CVE-2026-55006 should include locating every Exchange server, recording its full build, and comparing it with Microsoft’s fixed thresholds. Hybrid deployments should not assume that moving most mailboxes to Exchange Online removes the risk: any remaining on-premises Exchange management or transport server must still be assessed.
Security teams should also review local administrative group membership, Exchange role assignments, interactive logons, service-account permissions, and unexpected process execution on Exchange hosts. Because the vulnerability requires prior authorization or a local foothold, evidence of unusual low-privileged activity becomes particularly relevant.
Monitoring cannot substitute for the update. Access-control vulnerabilities can involve legitimate system interfaces and authenticated activity, which may make exploitation less conspicuous than an obvious attempt to crash a service or deliver a malicious attachment.
Organizations that cannot patch immediately should reduce local logon rights, remove unnecessary accounts and software from Exchange hosts, restrict management access to dedicated administrative systems, and intensify monitoring. Those steps can reduce exposure, but Microsoft’s published remediation is the official security update rather than a permanent configuration workaround.
CVE-2026-55006 is not the classic unauthenticated Exchange emergency, but its end state is serious: a low-privileged foothold can become complete compromise of a mail server. The immediate milestone for administrators is concrete—bring Exchange Server 2016 CU23 to build 15.1.2507.71, Exchange 2019 CU14 to 15.2.1544.43, CU15 to 15.2.1748.48, and Subscription Edition RTM to 15.2.2562.45 or later.
Detailed in Microsoft’s Security Update Guide and included in the July 2026 Patch Tuesday release, the flaw carries a CVSS 3.1 base score of 7.8. Microsoft classifies it as Important rather than Critical because exploitation requires local access and existing privileges, but a successful attack can have a high impact on confidentiality, integrity, and availability.
Microsoft says the underlying weakness is insufficient granularity of access control, tracked as CWE-1220. In practical terms, Exchange does not enforce sufficiently precise permissions around an affected operation, allowing an authorized user to cross a security boundary that should have constrained the account.
Administrators should install the July Exchange security updates rather than treating the local attack vector as a reason to postpone deployment.
A Local Flaw With Server-Wide Consequences
The CVSS vector for CVE-2026-55006 is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Exploitation requires local access and low privileges, but Microsoft rates the attack complexity as low and says no interaction from another user is necessary.That makes CVE-2026-55006 different from an unauthenticated Exchange vulnerability that can be attacked directly through Outlook on the web or another Internet-facing service. An attacker cannot, based on Microsoft’s published assessment, simply send a request from anywhere on the Internet and immediately obtain administrative control.
The distinction should not be mistaken for limited impact. Exchange servers are high-value systems holding mailboxes, address data, authentication-related configuration, transport rules, connectors, and often privileged access to other parts of an organization. An attacker who has already obtained a low-privileged foothold may use CVE-2026-55006 to turn that initial access into broader control.
Microsoft assigns High impact ratings to all three affected security properties:
- Successful exploitation can expose information protected by the Exchange server.
- Successful exploitation can allow unauthorized modification of data or system state.
- Successful exploitation can disrupt the availability of Exchange services.
Four Exchange Branches Need Attention
The published CVE data identifies four affected Exchange servicing branches. Systems must be updated to the fixed build or a later build:| Exchange release | Vulnerable builds | Fixed build threshold |
|---|---|---|
| Exchange Server 2016 CU23 | Earlier than 15.1.2507.71 | 15.1.2507.71 or later |
| Exchange Server 2019 CU14 | Earlier than 15.2.1544.43 | 15.2.1544.43 or later |
| Exchange Server 2019 CU15 | Earlier than 15.2.1748.48 | 15.2.1748.48 or later |
| Exchange Server Subscription Edition RTM | Earlier than 15.2.2562.45 | 15.2.2562.45 or later |
That detail matters in environments where cumulative updates and security updates are tracked separately. Inventory platforms may show the correct CU while overlooking a missing security update layered on top of it.
Exchange Server Subscription Edition is not exempt simply because it is Microsoft’s current on-premises release. The affected range includes Subscription Edition RTM builds earlier than 15.2.2562.45, so organizations that recently moved to the new servicing model still need to check deployment status.
Before installation, administrators should confirm that Exchange prerequisites and previous required updates are present, take a recoverable configuration backup, and review database availability group health. After installation, verify the Exchange services, transport queues, database mounts, Outlook on the web, and mail flow rather than treating a successful installer exit code as the end of the change.
Microsoft Calls the Vulnerability Confirmed, Not Exploited
The report-confidence metric attached to CVE-2026-55006 is Confirmed. That rating means Microsoft has acknowledged the vulnerability and considers the available technical evidence sufficient to establish that the weakness exists.Report confidence does not measure severity by itself, nor does it indicate that attackers are already exploiting the flaw. It answers a narrower question: how certain is the vendor that the reported condition is real and technically credible?
Microsoft’s temporal CVSS data identifies exploit-code maturity as unproven, remediation as an official fix, and report confidence as confirmed. The July review from the Zero Day Initiative likewise lists CVE-2026-55006 as neither publicly disclosed nor exploited at release time.
That combination gives defenders useful prioritization context. There was no public proof-of-concept or known in-the-wild exploitation when Microsoft published the advisory on July 14, but the low attack complexity and complete impact profile make delayed patching difficult to justify on exposed or business-critical Exchange infrastructure.
The need for existing access narrows the immediate attacker population. It does not eliminate risk from compromised user accounts, malicious insiders, service-account abuse, web shells introduced through another vulnerability, or attackers who have gained execution through phishing and lateral movement.
Once security updates become available, reverse engineering also begins. Attackers can compare patched and unpatched Exchange binaries or configuration behavior to identify the corrected access-control path, potentially reducing the time required to develop a working exploit.
Exchange Inventories Cannot Stop at Windows Update
Exchange patch management remains more involved than ordinary Windows endpoint servicing. Administrators need to know the Exchange CU, installed security update, resulting build number, and whether every node in a database availability group has been updated.A practical response to CVE-2026-55006 should include locating every Exchange server, recording its full build, and comparing it with Microsoft’s fixed thresholds. Hybrid deployments should not assume that moving most mailboxes to Exchange Online removes the risk: any remaining on-premises Exchange management or transport server must still be assessed.
Security teams should also review local administrative group membership, Exchange role assignments, interactive logons, service-account permissions, and unexpected process execution on Exchange hosts. Because the vulnerability requires prior authorization or a local foothold, evidence of unusual low-privileged activity becomes particularly relevant.
Monitoring cannot substitute for the update. Access-control vulnerabilities can involve legitimate system interfaces and authenticated activity, which may make exploitation less conspicuous than an obvious attempt to crash a service or deliver a malicious attachment.
Organizations that cannot patch immediately should reduce local logon rights, remove unnecessary accounts and software from Exchange hosts, restrict management access to dedicated administrative systems, and intensify monitoring. Those steps can reduce exposure, but Microsoft’s published remediation is the official security update rather than a permanent configuration workaround.
CVE-2026-55006 is not the classic unauthenticated Exchange emergency, but its end state is serious: a low-privileged foothold can become complete compromise of a mail server. The immediate milestone for administrators is concrete—bring Exchange Server 2016 CU23 to build 15.1.2507.71, Exchange 2019 CU14 to 15.2.1544.43, CU15 to 15.2.1748.48, and Subscription Edition RTM to 15.2.2562.45 or later.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: zeropath.com
Brief Summary: CVE-2026-35435 — Azure AI Foundry M365 Agents Elevation of Privilege via Improper Access Control - ZeroPath Blog | ZeroPath
A short review of CVE-2026-35435, a critical improper access control vulnerability in Azure AI Foundry M365 published agents that allowed unauthenticated privilege escalation over the network. Microsoft has already mitigated this server-side, and no customer action is required. Includes patch...zeropath.com