Microsoft Exchange ActiveSync Plaintext Credential and Token Exposure Vulnerability

Vulnerability

A vulnerability in Microsoft Exchange ActiveSync (EAS) configurations on on-premises servers through 2019 allows for the transmission of sensitive data from Samsung mobile devices in cleartext. This includes the user's name, email address, device ID, bearer token, and base64-encoded password. The issue arises from the continued use of Basic Authentication, which was officially deprecated on October 1, 2022, yet remains active and exposes credentials and tokens to interception.

Impact

Exposed plaintext credentials and OAuth2 bearer tokens, which could be used to gain unauthorized access to user accounts, bypassing multi-factor authentication.

Added: Mar 2, 2026, 3:26 PM

Updated: Mar 2, 2026, 10:00 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

7.0

remediation

0.0

relevance

3.4

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

7.0

remediation

0.0

relevance

3.4

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Microsoft Exchange ActiveSync Plaintext Credential and Token Exposure Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating