Skip to main content

Microsoft Exchange Server CVE-2026-45504

| EUVDEUVD-2026-35680 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-09 secure@microsoft.com GHSA-x3fg-4h2p-6mgp
8.8
CVSS 3.1 · NVD
Temporal: 7.7
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
7.7 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 18:17 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 8.8

DescriptionNVD

Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.

AnalysisAI

Privilege escalation via server-side request forgery in Microsoft Exchange Server allows an authenticated attacker with low-level network access to coerce the Exchange server into making attacker-controlled requests, resulting in high impact to confidentiality, integrity, and availability. The flaw is network-exploitable with low complexity (CVSS 8.8) but requires prior authentication, and no public exploit identified at time of analysis. As a Microsoft-discovered issue (reported by secure@microsoft.com), it is consistent with the broader pattern of Exchange SSRF chains used to pivot to elevated mailbox or domain access.

Technical ContextAI

The vulnerability is rooted in CWE-918 (Server-Side Request Forgery), a class of bug where a server fetches a URL or resource using attacker-supplied input without sufficiently validating the destination. In the Exchange context, SSRF flaws have historically been weaponized against internal endpoints (Autodiscover, EWS, PowerShell remoting, backend Exchange services) because Exchange services run with high privileges and can authenticate to internal interfaces on behalf of the calling identity. The CVSS scope is Unchanged (S:U), indicating impact remains within the Exchange security context rather than crossing to the host OS, but the C:H/I:H/A:H rating means the attacker can read, modify, and disrupt resources accessible to the Exchange service account. The single NVD-listed reference is the Microsoft MSRC advisory; no CPE strings, KEV entry, or EPSS score were provided in the input.

RemediationAI

Patch available per vendor advisory - apply the security update referenced on Microsoft's MSRC page at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45504 for your Exchange Server version and cumulative update level, and confirm the exact fix build number from that advisory before deployment. As compensating controls while patching is scheduled, restrict external access to Exchange management and backend endpoints (EWS, ECP, PowerShell, Autodiscover) via the perimeter or reverse proxy, enforce multi-factor authentication on all mailbox accounts to raise the cost of the PR:L precondition, and segment Exchange servers from sensitive internal HTTP services so an SSRF cannot reach metadata, AD, or admin interfaces; note that blocking ECP/EWS at the perimeter will break OWA/Outlook-on-the-web client access for remote users and is only suitable as a short-term stopgap. Review IIS and Exchange logs for anomalous outbound or loopback requests originating from the Exchange worker process.

CVE-2020-17132 CRITICAL POC
9.1 Dec 10

Microsoft Exchange Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remote

CVE-2022-23277 HIGH POC
8.8 Mar 09

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem

CVE-2021-42321 HIGH POC
8.8 Nov 10

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem

CVE-2020-16875 HIGH POC
8.4 Sep 11

<p>A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet argume

CVE-2021-28481 CRITICAL POC
9.8 Apr 13

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2021-28480 CRITICAL POC
9.8 Apr 13

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2018-0986 HIGH POC
8.8 Apr 04

A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a speci

CVE-2018-16793 HIGH POC
8.6 Sep 21

Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions has an SSRF vulnerability via the username parame

CVE-2019-0724 HIGH POC
8.1 Mar 05

An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of

CVE-2023-36745 HIGH POC
8.0 Sep 12

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low

CVE-2013-0418 MEDIUM
6.8 Jan 17

Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7 and 8.4 allows

CVE-2021-33766 HIGH POC
7.3 Jul 14

Microsoft Exchange Server Information Disclosure Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is re

Share

CVE-2026-45504 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy