Detections
Analytics

Security Updates for Microsoft Exchange Server (August 2025)

high Nessus Plugin ID 249140

Language:

Synopsis

The Microsoft Exchange Server installed on the remote host is affected by multiple vulnerabilities.

Description

The Microsoft Exchange Server installed on the remote host is missing a security update. It is, therefore, affected by multiple vulnerabilities as referenced in the August, 2025 security bulletin.

 - Exposure of sensitive information to an unauthorized actor in Microsoft Exchange Server allows an unauthorized attacker to disclose information over a network. (CVE-2025-33051)

 - Improper input validation in Microsoft Exchange Server allows an authorized attacker to perform tampering over a network. (CVE-2025-25005)

 - Improper handling of additional special element in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. (CVE-2025-25006)

 - Improper validation of syntactic correctness of input in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. (CVE-2025-25007)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Microsoft has released the following security updates to address this issue:
 -KB5063221
 -KB5063222
 -KB5063223

See Also

http://www.nessus.org/u?ca5a35e4

http://www.nessus.org/u?739af1ae

http://www.nessus.org/u?d2b2fea2

Plugin Details

Severity: High

ID: 249140

File Name: smb_nt_ms25_aug_exchange.nasl

Version: 1.4

Type: local

Agent: windows

Published: 8/12/2025

Updated: 9/26/2025

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2025-33051

CVSS v3

Risk Factor: High

Base Score: 8

Temporal Score: 7.2

Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2025-33051

Vulnerability Information

CPE: cpe:/a:microsoft:exchange_server:2019, cpe:/a:microsoft:exchange_server:2016

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/12/2025

Vulnerability Publication Date: 8/6/2025

Reference Information

CVE: CVE-2025-25005, CVE-2025-25006, CVE-2025-25007, CVE-2025-33051

CWE: 1286, 167, 20, 200, 287

IAVA: 2025-A-0595

MSFT: MS25-5063221, MS25-5063222, MS25-5063223

MSKB: 5063221, 5063222, 5063223