CVE-2026-21527 - Vulnerability Details - OpenCVE

User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Microsoft	Exchange Server 2016 Exchange Server 2019 Exchange Server Se

No data.

No data.

No data.

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21527

History

Tue, 10 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Title		Microsoft Exchange Server Spoofing Vulnerability
First Time appeared		Microsoft Microsoft exchange Server 2016 Microsoft exchange Server 2019 Microsoft exchange Server Se
Weaknesses		CWE-1286 CWE-345 CWE-451
CPEs		cpe:2.3:a:microsoft:exchange_server_2016::cumulative_update_23::::::* cpe:2.3:a:microsoft:exchange_server_2019::cumulative_update_14::::::* cpe:2.3:a:microsoft:exchange_server_2019::cumulative_update_15::::::* cpe:2.3:a:microsoft:exchange_server_se::RTM::::::*
Vendors & Products		Microsoft Microsoft exchange Server 2016 Microsoft exchange Server 2019 Microsoft exchange Server Se
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21527
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C'}`

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2026-02-10T17:51:30.280Z

Updated: 2026-02-10T20:38:34.066Z

Reserved: 2025-12-30T18:10:54.846Z

Link: CVE-2026-21527

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-02-10T18:16:35.093

Modified: 2026-02-10T21:51:48.077

Link: CVE-2026-21527

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21527", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-12-30T18:10:54.846Z", "datePublished": "2026-02-10T17:51:30.280Z", "dateUpdated": "2026-02-10T20:38:34.066Z"}, "containers": {"cna": {"title": "Microsoft Exchange Server Spoofing Vulnerability", "datePublic": "2026-02-10T08:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:exchange_server_se:*:RTM:*:*:*:*:*:*", "versionStartIncluding": "15.02.0.0", "versionEndExcluding": "15.02.2562.037"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:exchange_server_2016:*:cumulative_update_23:*:*:*:*:*:*", "versionStartIncluding": "15.01.0.0", "versionEndExcluding": "15.01.2507.066"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_15:*:*:*:*:*:*", "versionStartIncluding": "15.02.0.0", "versionEndExcluding": "15.02.1748.043"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_14:*:*:*:*:*:*", "versionStartIncluding": "15.02.0.0", "versionEndExcluding": "15.02.1544.039"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Exchange Server Subscription Edition RTM", "platforms": ["x64-based Systems"], "versions": [{"version": "15.02.0.0", "lessThan": "15.02.2562.037", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Exchange Server 2016 Cumulative Update 23", "platforms": ["x64-based Systems"], "versions": [{"version": "15.01.0.0", "lessThan": "15.01.2507.066", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Exchange Server 2019 Cumulative Update 15", "platforms": ["x64-based Systems"], "versions": [{"version": "15.02.0.0", "lessThan": "15.02.1748.043", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Exchange Server 2019 Cumulative Update 14", "platforms": ["x64-based Systems"], "versions": [{"version": "15.02.0.0", "lessThan": "15.02.1544.039", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information", "lang": "en-US", "type": "CWE", "cweId": "CWE-451"}, {"description": "CWE-345: Insufficient Verification of Data Authenticity", "lang": "en-US", "type": "CWE", "cweId": "CWE-345"}, {"description": "CWE-1286: Improper Validation of Syntactic Correctness of Input", "lang": "en-US", "type": "CWE", "cweId": "CWE-1286"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-02-10T20:38:34.066Z"}, "references": [{"name": "Microsoft Exchange Server Spoofing Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21527"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C"}}]}}}