CVE-2026-55009 is a Microsoft Exchange Server Elevation of Privilege vulnerability caused by deserialization of untrusted data. Microsoft rates it at CVSS v3.1 base 7.8 and temporal 6.8. The vector is LOCAL, with LOW attack complexity, LOW privileges required, and no user interaction. The impact is high for confidentiality, integrity, and availability. Microsoft lists public disclosure as No, exploitation as No, and exploit code maturity as UNPROVEN. Because this is a local-only elevation of privilege issue rather than a network-reachable flaw, enterprise risk is more limited than for remote vulnerabilities, but it remains important for systems where untrusted local access is possible. Highlights: - CVSS scores: Base 7.8 - Temporal 6.8 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Elevation of Privilege; confidentiality, integrity, and availability impacts are all HIGH. - Exploitation likelihood: Not stated as “Exploitation More Likely”; Microsoft lists exploitation as unlikely. Vector context is LOCAL with LOW attack complexity, LOW privileges required, and no user interaction. - Severity for enterprise: High severity by CVSS, but lower enterprise exposure than remote flaws because the attack is local-only. Risk is most relevant where local access exists on Exchange Server systems. - Patch status: available; customer action is required. Affected systems: - No products listed in the source data.