IsItPatchedInstant security status for any software version
← All products

Microsoft Exchange Server

Microsoft
20/100 Critical · exploited

ℹ On-premises Exchange Server only. Exchange Online (Microsoft 365) is a cloud service patched by Microsoft and is not covered here.

Summary iPlain-English security verdict for Microsoft Exchange Server, generated from its current health score, actively-exploited vulnerabilities, and latest supported version.

Microsoft Exchange Server currently scores 20/100 — critical, with active exploitation. 20 of its known vulnerabilities are being actively exploited in the wild (CISA KEV), including CVE-2020-0688. The latest supported release is 15.2.2562.41. Upgrade immediately and review your exposure to the actively-exploited CVEs below. Note: this product is assessed at the product level on recent (365-day) activity rather than an exact per-version match, so it is never marked a confident "healthy".

Disclosure trend iNew CVEs published for Microsoft Exchange Server each year (NVD). A higher bar means more disclosures that year — more scrutiny, not necessarily less safe.

'19
'20
'21
'22
'23
'24
'25
'26

⚠ 14 of its known vulnerabilities are linked to ransomware campaigns (CISA KEV).

Patch priority — what to act on iThe issues to fix first — actively exploited (CISA KEV) first, then by exploitation probability (EPSS), then severity. Each row's "→ fixed in" is the earliest version that patches it; "see advisory" means no fixed version is published.

Most urgent first — actively exploited, then likeliest to be exploited.

CVE-2020-0688 HIGH ● exploited ⚠ ransomware Improper authentication EPSS 94% → see advisory CVE-2021-26855 CRITICAL ● exploited ⚠ ransomware Server-side request forgery (SSRF) EPSS 94% → see advisory CVE-2021-34473 CRITICAL ● exploited ⚠ ransomware Server-side request forgery (SSRF) EPSS 94% → see advisory CVE-2022-41040 HIGH ● exploited ⚠ ransomware Server-side request forgery (SSRF) EPSS 94% → see advisory CVE-2021-27065 HIGH ● exploited ⚠ ransomware Path traversal EPSS 94% → see advisory CVE-2021-34523 CRITICAL ● exploited ⚠ ransomware EPSS 94% → see advisory CVE-2021-31207 MEDIUM ● exploited ⚠ ransomware Unrestricted file upload EPSS 94% → see advisory CVE-2022-41080 HIGH ● exploited ⚠ ransomware EPSS 94% → see advisory CVE-2021-33766 HIGH ● exploited EPSS 94% → see advisory CVE-2021-42321 HIGH ● exploited ⚠ ransomware EPSS 94% → see advisory CVE-2020-17144 HIGH ● exploited Insecure deserialization EPSS 92% → see advisory CVE-2018-8581 HIGH ● exploited ⚠ ransomware EPSS 92% → see advisory

Versions & lifecycle iWhen each release line stops receiving security patches (end-of-life). After EOL there are no more fixes — plan upgrades before these dates.

How long each Microsoft Exchange Server release line is supported — and when it sunsets.

subscription latest 15.2.2562.41 Supported
2019 latest 15.2.1748.43 End of life ended 2025-10-14
2016 latest 15.1.2507.66 End of life ended 2025-10-14
2013 latest 15.0.1497.48 End of life ended 2023-04-11
2010 latest 14.3.513.0 End of life ended 2020-10-13
2007 latest 8.3.517.0 End of life ended 2017-04-11
2003 latest 6.5.7654.4 End of life ended 2014-04-08
2000 latest 6.0.6620.7 End of life ended 2011-01-11
5.5 latest 5.5.2653 End of life ended 2006-01-10
5.0 latest 5.0.1460 End of life ended 2006-01-10
See all upcoming end-of-life dates →

ℹ product-level posture (last 365d); exact per-version verdict pending precise version mapping

Last checked: Wed, 10 Jun 2026 22:18:30 UTC