# Exchange Server CVE Analysis — Al Mayadeen (autodiscover.almayadeen.net) > **Target:** BHS-EX09.ITTIHADTV.LOCAL > **Build:** 15.1.2507.59 (Exchange 2016 CU23 Sep25HU — September 8, 2025) > **Latest Available:** 15.1.2507.66 (Feb26SU — February 10, 2026) > **Patches Behind:** 3 security updates missing > **OS:** Windows Server 2012 R2 (IIS 8.5) — END OF SUPPORT (Oct 2023) --- ## Missing Patches & Unpatched CVEs ### 1. CVE-2025-59249 — Elevation of Privilege (CVSS 8.8 HIGH) - **Type:** Weak authentication allows authorized attacker to elevate privileges over network - **Fixed in:** Oct 14, 2025 (15.1.2507.61) — KB5066369 - **Status on target:** VULNERABLE (running .59, needs .61+) - **Impact:** Network-based privilege escalation — authenticated user can become admin ### 2. CVE-2025-53782 — Elevation of Privilege (CVSS 7.8-8.4 HIGH) - **Type:** Incorrect authentication algorithm implementation, local privilege escalation - **Fixed in:** Oct 14, 2025 (15.1.2507.61) — KB5066369 - **Status on target:** VULNERABLE - **Impact:** Local attacker can escalate to SYSTEM/admin ### 3. CVE-2025-59248 — Spoofing - **Type:** Exchange spoofing vulnerability - **Fixed in:** Oct 14, 2025 (15.1.2507.61) — KB5066369 - **Status on target:** VULNERABLE ### 4. CVE-2025-64666 — Elevation of Privilege - **Type:** Elevation of Privilege in Exchange Server - **Fixed in:** Dec 9, 2025 (15.1.2507.63) — KB5071873 - **Status on target:** VULNERABLE ### 5. CVE-2025-64667 — Spoofing - **Type:** Exchange spoofing vulnerability - **Fixed in:** Dec 9, 2025 (15.1.2507.63) — KB5071873 - **Status on target:** VULNERABLE ### 6. CVE-2026-21527 — Spoofing (CVSS 6.5 MEDIUM) - **Type:** UI misrepresentation of critical information, network-based spoofing - **CWE:** CWE-345 (Insufficient Verification of Data Authenticity) - **Fixed in:** Feb 10, 2026 (15.1.2507.66) — KB5074995 - **Status on target:** VULNERABLE - **Impact:** No auth required, low complexity — can spoof sender info, display falsified interface elements ### 7. CVE-2025-53786 — Elevation of Privilege (CISA EMERGENCY DIRECTIVE ED 25-02) - **Type:** Post-authentication lateral movement from on-prem Exchange to M365 cloud - **Fixed in:** Apr 2025 patch guidance (15.1.2507.55+) - **Status on target:** PATCHED (.59 > .55) — but only if not in hybrid config - **Note:** CISA issued Emergency Directive ED 25-02 on Aug 7, 2025 for this CVE - **Risk:** If hybrid-joined, lateral movement to cloud possible --- ## Additional Risk Factors ### Windows Server 2012 R2 (End of Support) - IIS 8.5 confirms Windows Server 2012 R2 - Extended support ended October 10, 2023 - No security updates unless on ESU program - OS-level vulnerabilities accumulating ### Exchange 2016 (End of Support) - Exchange 2016 mainstream support ended October 14, 2025 - Only receives patches via Extended Security Update (ESU) program — PAID - They patched through Sep 2025 then stopped — may not have ESU enrollment - Missing 3 patches suggests they lost access to updates or stopped patching ### Exposed Attack Surface - OWA login: publicly accessible (credential brute-force) - ECP admin panel: publicly accessible (admin takeover if creds obtained) - EWS: publicly accessible (API-level email access with creds) - MAPI over HTTP: publicly accessible (Outlook protocol) - RPC over HTTP: publicly accessible (legacy Outlook protocol) - Healthcheck: leaks internal AD domain and server FQDN ### Email Security Failures - DMARC: p=none (no enforcement — spoofing possible) - DKIM: NOT CONFIGURED (no email signing) - SPF leaks 5 origin IPs behind Cloudflare --- ## Compound Attack Scenarios ### Scenario 1: CVE-2025-59249 + ECP Access 1. Obtain valid credentials (phishing, brute-force, credential stuffing) 2. Login to OWA with low-privilege account 3. Exploit CVE-2025-59249 (CVSS 8.8) to escalate to Exchange admin 4. Access ECP admin panel with elevated privileges 5. Full mailbox access, transport rules, server configuration ### Scenario 2: Email Spoofing + CVE-2026-21527 1. DMARC p=none + no DKIM = spoofing @almayadeen.net trivially possible 2. CVE-2026-21527 allows UI misrepresentation (no auth needed) 3. Combined: craft spoofed emails that also manipulate Exchange UI display 4. Perfect for spear-phishing internal users ### Scenario 3: Credential Spray + Full Access 1. EWS endpoint accepts authentication attempts 2. Spray common passwords against ITTIHADTV\username format 3. Login reason codes (0=none, 2=invalid, 3=locked) enable blind enumeration 4. Valid creds → EWS → programmatic email access to all mailboxes --- ## Intelligence Summary | Finding | Severity | |---------|----------| | 6 unpatched CVEs (2 HIGH, 1 MEDIUM, 3 unrated) | CRITICAL | | Windows Server 2012 R2 (unsupported OS) | HIGH | | Exchange 2016 (end of support) | HIGH | | OWA/ECP/EWS/MAPI/RPC all public | HIGH | | DMARC p=none + no DKIM | HIGH | | AD domain leaked (ITTIHADTV.LOCAL) | MEDIUM | | 5 origin IPs leaked via SPF | MEDIUM | | Login reason codes enable enumeration | MEDIUM | **Bottom line:** This Exchange server is running an unsupported OS with an end-of-life mail server missing 3 security updates containing 6 CVEs, with every attack surface publicly exposed and email spoofing trivially possible. --- *Analysis: Feb 28, 2026* *Sources: Microsoft Learn build numbers, NVD, CISA ED 25-02, Rapid7, Wiz*