🟠 High | Source: Microsoft Security Response Center
A flaw in Microsoft Exchange Online allows an already-authenticated attacker to gain higher privileges than they should have, potentially accessing or manipulating mailboxes and data beyond their authorised scope. The vulnerability is exploitable over the network, meaning no local access is required. Because Exchange Online is a widely used cloud email platform, the blast radius across enterprise environments could be significant.
Security Architect’s Take: Review audit logs in Microsoft Purview and Exchange Online for anomalous permission changes or unusual mailbox access patterns, particularly by accounts with lower baseline privileges. Ensure you have least-privilege role assignments in place and monitor for any unexpected changes to Exchange RBAC roles while Microsoft deploys a fix — as a SaaS service, patching is handled by Microsoft, but detective controls remain your responsibility.
Original advisory: CVE-2026-54998 Microsoft Exchange Online Elevation of Privilege Vulnerability