CVE-2025-58107 is a vulnerability identified in Microsoft Exchange servers through the 2019 version, specifically impacting Exchange ActiveSync (EAS) configurations deployed on-premises. The flaw causes sensitive data transmitted from Samsung mobile devices to the Exchange server to be sent in cleartext over the network. The exposed data includes the user's name, email address, device ID, bearer token, and base64-encoded password. This cleartext transmission occurs due to improper handling or lack of encryption in the EAS protocol implementation when interacting with Samsung devices, potentially due to device-specific or protocol-specific quirks. Attackers with network access to the communication channel between the mobile device and the Exchange server can intercept this data using man-in-the-middle (MITM) techniques or network sniffing tools. The bearer token and base64-encoded password exposure is particularly critical, as these credentials can be used to impersonate users and gain unauthorized access to email accounts and related services. The vulnerability does not require user interaction but does require the attacker to be positioned on the network path, such as within the same local network or via compromised network infrastructure. No CVSS score has been assigned yet, and no public exploits have been reported. The lack of patches or official mitigation guidance at the time of publication means organizations must rely on network monitoring and configuration hardening to reduce risk. This vulnerability highlights the importance of ensuring encryption is enforced end-to-end in EAS communications and that device-specific behaviors are accounted for in security configurations.

The primary impact of CVE-2025-58107 is the compromise of confidentiality and integrity of sensitive user data transmitted between Samsung mobile devices and on-premises Microsoft Exchange servers using Exchange ActiveSync. Attackers intercepting this cleartext data can harvest user credentials and tokens, enabling unauthorized access to corporate email accounts and potentially other connected services. This can lead to data breaches, espionage, phishing campaigns, and lateral movement within an organization’s network. The exposure of bearer tokens and passwords increases the risk of account takeover and persistent access. Organizations relying heavily on Exchange ActiveSync for mobile email access, especially those with many Samsung device users, face increased risk. The vulnerability also undermines trust in the security of mobile email communications and may lead to regulatory compliance issues if sensitive data is leaked. Although exploitation requires network access, the widespread use of Wi-Fi and potential for compromised network infrastructure increases the attack surface. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once details are public.

Organizations should immediately audit their Exchange ActiveSync configurations to ensure encryption is enforced for all communications, particularly with Samsung mobile devices. Network administrators should implement network segmentation and enforce the use of VPNs or other secure tunnels for mobile device connections to the Exchange server. Monitoring network traffic for unencrypted EAS communications can help detect potential exploitation attempts. Applying the latest Microsoft Exchange updates and patches as they become available is critical, even though no patch is currently listed. Organizations should consider restricting or closely monitoring the use of Samsung devices for accessing Exchange services until the vulnerability is resolved. Employing multi-factor authentication (MFA) on Exchange accounts can reduce the risk of account compromise even if credentials are intercepted. Security teams should also educate users about the risks of connecting to untrusted networks and encourage the use of secure Wi-Fi connections. Finally, organizations should prepare incident response plans to quickly address any suspected compromise resulting from this vulnerability.