MEIFP – Most Exploited Internet-Facing Products

Microsoft

Products: .NET · ASP.NET Core · Azure Kubernetes Service · Azure Migrate · Microsoft .NET Framework · Microsoft 365 Apps for Enterprise · Microsoft Azure Functions · Microsoft Configuration Manager · Microsoft Dataverse · Microsoft Defender for IoT · Microsoft Edge (Chromium-based) · Microsoft Entra · Microsoft Exchange Server 2016 Cumulative Update 23 · Microsoft Exchange Server 2019 Cumulative Update 13 · Microsoft Exchange Server 2019 Cumulative Update 14 · Microsoft Exchange Server 2019 Cumulative Update 15 · Microsoft Exchange Server Subscription Edition RTM · Microsoft ODBC Driver 17 for SQL Server on Linux · Microsoft ODBC Driver 17 for SQL Server on MacOS · Microsoft ODBC Driver 17 for SQL Server on Windows

544.8

Score

CVEs

Active

PoC

KEV

Rank

Period:

Product:

CVE ID	Published	CVSS	Exploit	KEV	AC	PR	Auto	Score(hover)	Affected Products	Description
CVE-2026-49336	2026-06-19	5.5v4.0	POC	—	Low	None	YES	0.0	kiota-typescript	@microsoft/kiota-http-fetchlibrary provides TypeScript libraries for Kiota-generated API clients. In versions 1.0.0-preview.97 through 1.0.0-preview.101, `@microsoft/kiota-http-fetchlibrary`'s `RedirectHandler` is documented as stripping `Authorization` and `Cookie` from cross-origin redirect target
CVE-2026-46402	2026-05-27	8.1v3.1	POC	—	Low	Low	no	0.0	UFO	Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO uses the user-controlled task_name value directly when constructing session log paths. An authenticated client can supply path traversal sequences in task_name and cause U
CVE-2026-46414	2026-05-27	8.8v3.1	POC	—	Low	Low	no	0.0	UFO	Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's WebSocket control plane trusts client-supplied identity and role fields in task messages. A client connection can register as a normal device, but later send a TASK mess
CVE-2026-46416	2026-05-27	6.3v3.1	POC	—	Low	Low	no	0.0	UFO	Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO creates one shared UFOWebSocketHandler instance and reuses it for multiple authenticated WebSocket connections. The handler stores per-connection protocol objects in mutab
CVE-2026-46544	2026-05-27	5.3v3.1	POC	—	High	Low	no	0.0	UFO	Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO accepts client-supplied session_id values in WebSocket task messages and reuses an existing in-memory session object if that session_id already exists. If a prior session
CVE-2026-32201	2026-04-14	6.5v3.1	ACTIVE		Low	None	YES	40.6	Microsoft SharePoint Enterprise Server 2016Microsoft SharePoint Server 2019Microsoft SharePoint Server Subscription Edition	Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-24888	2026-01-28	6.5v3.1	POC	—	Low	None	YES	0.0	maker.js	Maker.js is a 2D vector line drawing and shape modeling for CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks `has
CVE-2026-20963	2026-01-13	9.8v3.1	ACTIVE		Low	None	YES	40.6	Microsoft SharePoint Enterprise Server 2016Microsoft SharePoint Server 2019Microsoft SharePoint Server Subscription Edition	Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
CVE-2025-55315	2025-10-14	9.9v3.1	POC	—	Low	Low	no	0.0	ASP.NET CoreMicrosoft Visual Studio 2022 version 17.10Microsoft Visual Studio 2022 version 17.12Microsoft Visual Studio 2022 version 17.14	Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.
CVE-2025-59287	2025-10-14	9.8v3.1	ACTIVE		Low	None	YES	40.6	Windows Server 2012Windows Server 2012 (Server Core installation)Windows Server 2012 R2Windows Server 2012 R2 (Server Core installation)Windows Server 2016Windows Server 2016 (Server Core installation)Windows Server 2019Windows Server 2019 (Server Core installation)Windows Server 2022Windows Server 2022, 23H2 Edition (Server Core installation)	Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.
CVE-2025-54914	2025-09-04	10.0v3.1	POC	—	Low	None	YES	0.0	Networking	Azure Networking Elevation of Privilege Vulnerability
CVE-2025-55241	2025-09-04	10.0v3.1	POC	—	Low	None	YES	0.0	Microsoft Entra	Azure Entra ID Elevation of Privilege Vulnerability
CVE-2025-50165	2025-08-12	9.8v3.1	POC	—	Low	None	YES	0.0	Windows 11 Version 24H2Windows Server 2025Windows Server 2025 (Server Core installation)	Untrusted pointer dereference in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.
CVE-2025-53770	2025-07-20	9.8v3.1	ACTIVE		Low	None	YES	40.6	Microsoft SharePoint Enterprise Server 2016Microsoft SharePoint Server 2019Microsoft SharePoint Server Subscription Edition	Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulne
CVE-2025-49704	2025-07-08	8.8v3.1	ACTIVE		Low	Low	no	26.4	Microsoft SharePoint Enterprise Server 2016Microsoft SharePoint Server 2019	Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2025-49706	2025-07-08	6.5v3.1	ACTIVE		Low	None	no	31.2	Microsoft SharePoint Enterprise Server 2016Microsoft SharePoint Server 2019Microsoft SharePoint Server Subscription Edition	Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.
CVE-2025-7326	2025-07-08	7.0v3.1	POC	—	High	None	no	0.0	ASP.NET CoreMicrosoft.AspNetCore.App.Runtime.linux-armMicrosoft.AspNetCore.App.Runtime.linux-arm64Microsoft.AspNetCore.App.Runtime.linux-musl-armMicrosoft.AspNetCore.App.Runtime.linux-musl-arm64Microsoft.AspNetCore.App.Runtime.linux-musl-x64Microsoft.AspNetCore.App.Runtime.linux-x64Microsoft.AspNetCore.App.Runtime.osx-arm64Microsoft.AspNetCore.App.Runtime.osx-x64Microsoft.AspNetCore.App.Runtime.win-arm	Weak authentication in EOL ASP.NET Core allows an unauthorized attacker to elevate privileges over a network. NOTE: This CVE affects only End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry.
CVE-2025-33073	2025-06-10	8.8v3.1	ACTIVE		Low	Low	no	26.4	Windows 10 Version 1507Windows 10 Version 1607Windows 10 Version 1809Windows 10 Version 21H2Windows 10 Version 22H2Windows 11 version 22H2Windows 11 version 22H3Windows 11 Version 23H2Windows 11 Version 24H2Windows Server 2008 R2 Service Pack 1	Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network.
CVE-2025-24989	2025-02-19	8.2v3.1	ACTIVE		Low	None	no	31.2	Microsoft Power Pages	An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has already been mitigated in the service and all affected customers have been notified. This update ad
CVE-2025-21298	2025-01-14	9.8v3.1	POC	—	Low	None	YES	0.0	Windows 10 Version 1507Windows 10 Version 1607Windows 10 Version 1809Windows 10 Version 21H2Windows 10 Version 22H2Windows 11 version 22H2Windows 11 version 22H3Windows 11 Version 23H2Windows 11 Version 24H2Windows Server 2008 R2 Service Pack 1	Windows OLE Remote Code Execution Vulnerability
CVE-2024-49040	2024-11-12	7.5v3.1	POC	—	Low	None	YES	0.0	Microsoft Exchange Server 2016 Cumulative Update 23Microsoft Exchange Server 2019 Cumulative Update 13Microsoft Exchange Server 2019 Cumulative Update 14	Microsoft Exchange Server Spoofing Vulnerability
CVE-2024-38139	2024-10-15	8.7v3.1	POC	—	Low	High	no	0.0	Microsoft Dataverse	Improper authentication in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network.
CVE-2024-38190	2024-10-15	8.6v3.1	POC	—	Low	None	YES	0.0	Microsoft Power Platform	Missing authorization in Power Platform allows an unauthenticated attacker to view sensitive information through a network attack vector.
CVE-2024-38204	2024-10-15	7.5v3.1	POC	—	Low	None	YES	0.0	Microsoft Azure Functions	Improper access control in Imagine Cup allows an authorized attacker to elevate privileges over a network.
CVE-2024-43468	2024-10-08	9.8v3.1	ACTIVE		Low	None	YES	40.6	Microsoft Configuration Manager	Microsoft Configuration Manager Remote Code Execution Vulnerability
CVE-2024-38063	2024-08-13	9.8v3.1	POC	—	Low	None	YES	0.0	Windows 10 Version 1507Windows 10 Version 1607Windows 10 Version 1809Windows 10 Version 21H2Windows 10 Version 22H2Windows 11 version 21H2Windows 11 version 22H2Windows 11 version 22H3Windows 11 Version 23H2Windows 11 Version 24H2	Windows TCP/IP Remote Code Execution Vulnerability
CVE-2024-38094	2024-07-09	7.2v3.1	ACTIVE		Low	High	no	24.0	Microsoft SharePoint Enterprise Server 2016Microsoft SharePoint Server 2019Microsoft SharePoint Server Subscription Edition	Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2024-30053	2024-05-14	6.5v3.1	POC	—	Low	Low	no	0.0	Azure Migrate	Azure Migrate Cross-Site Scripting Vulnerability
CVE-2024-29053	2024-04-09	8.8v3.1	POC	—	Low	Low	no	0.0	Microsoft Defender for IoT	Microsoft Defender for IoT Remote Code Execution Vulnerability
CVE-2024-29059	2024-03-22	7.5v3.1	ACTIVE		Low	None	YES	40.6	Microsoft .NET Framework	.NET Framework Information Disclosure Vulnerability
CVE-2024-21392	2024-03-12	7.5v3.1	POC	—	Low	None	YES	0.0	.NETMicrosoft Visual Studio 2022 version 17.4Microsoft Visual Studio 2022 version 17.6Microsoft Visual Studio 2022 version 17.8Microsoft Visual Studio 2022 version 17.9PowerShell 7.3PowerShell 7.4	.NET and Visual Studio Denial of Service Vulnerability
CVE-2024-21400	2024-03-12	9.0v3.1	POC	—	High	None	no	0.0	Azure Kubernetes Service	Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability
CVE-2024-21404	2024-02-13	7.5v3.1	POC	—	Low	None	YES	0.0	.NETMicrosoft Visual Studio 2022 version 17.4Microsoft Visual Studio 2022 version 17.6Microsoft Visual Studio 2022 version 17.8	.NET Denial of Service Vulnerability
CVE-2024-21410	2024-02-13	9.8v3.1	ACTIVE		Low	None	YES	40.6	Microsoft Exchange Server 2016 Cumulative Update 23Microsoft Exchange Server 2019 Cumulative Update 13Microsoft Exchange Server 2019 Cumulative Update 14	Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE-2024-21413	2024-02-13	9.8v3.1	ACTIVE		Low	None	YES	40.6	Microsoft 365 Apps for EnterpriseMicrosoft Office 2016Microsoft Office 2019Microsoft Office LTSC 2021	Microsoft Outlook Remote Code Execution Vulnerability
CVE-2023-36038	2023-11-14	8.2v3.1	POC	—	Low	None	no	0.0	.NETASP.NET CoreMicrosoft Visual Studio 2022 version 17.2Microsoft Visual Studio 2022 version 17.4Microsoft Visual Studio 2022 version 17.6Microsoft Visual Studio 2022 version 17.7	ASP.NET Core Denial of Service Vulnerability
CVE-2023-41763	2023-10-10	5.3v3.1	ACTIVE		Low	None	YES	40.6	Skype for Business Server 2015 CU13Skype for Business Server 2019 CU7	Skype for Business Elevation of Privilege Vulnerability
CVE-2023-36873	2023-08-08	7.4v3.1	POC	—	High	None	no	0.0	Microsoft .NET Framework	.NET Framework Spoofing Vulnerability
CVE-2023-38180	2023-08-08	7.5v3.1	ACTIVE		Low	None	YES	40.6	.NETASP.NET CoreMicrosoft Visual Studio 2022 version 17.2Microsoft Visual Studio 2022 version 17.4Microsoft Visual Studio 2022 version 17.6	.NET and Visual Studio Denial of Service Vulnerability

Each CVE: 10 pts base (Active only), boosted by:

KEV×2.0AC: Low×1.2PR: None×1.3PR: Low×1.1Auto×1.3