Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.
AnalysisAI
Privilege escalation via server-side request forgery in Microsoft Exchange Server allows an authenticated attacker with low-level network access to coerce the Exchange server into making attacker-controlled requests, resulting in high impact to confidentiality, integrity, and availability. The flaw is network-exploitable with low complexity (CVSS 8.8) but requires prior authentication, and no public exploit identified at time of analysis. As a Microsoft-discovered issue (reported by secure@microsoft.com), it is consistent with the broader pattern of Exchange SSRF chains used to pivot to elevated mailbox or domain access.
Technical ContextAI
The vulnerability is rooted in CWE-918 (Server-Side Request Forgery), a class of bug where a server fetches a URL or resource using attacker-supplied input without sufficiently validating the destination. In the Exchange context, SSRF flaws have historically been weaponized against internal endpoints (Autodiscover, EWS, PowerShell remoting, backend Exchange services) because Exchange services run with high privileges and can authenticate to internal interfaces on behalf of the calling identity. The CVSS scope is Unchanged (S:U), indicating impact remains within the Exchange security context rather than crossing to the host OS, but the C:H/I:H/A:H rating means the attacker can read, modify, and disrupt resources accessible to the Exchange service account. The single NVD-listed reference is the Microsoft MSRC advisory; no CPE strings, KEV entry, or EPSS score were provided in the input.
RemediationAI
Patch available per vendor advisory - apply the security update referenced on Microsoft's MSRC page at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45504 for your Exchange Server version and cumulative update level, and confirm the exact fix build number from that advisory before deployment. As compensating controls while patching is scheduled, restrict external access to Exchange management and backend endpoints (EWS, ECP, PowerShell, Autodiscover) via the perimeter or reverse proxy, enforce multi-factor authentication on all mailbox accounts to raise the cost of the PR:L precondition, and segment Exchange servers from sensitive internal HTTP services so an SSRF cannot reach metadata, AD, or admin interfaces; note that blocking ECP/EWS at the perimeter will break OWA/Outlook-on-the-web client access for remote users and is only suitable as a short-term stopgap. Review IIS and Exchange logs for anomalous outbound or loopback requests originating from the Exchange worker process.
More in Exchange Server
View allMicrosoft Exchange Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remote
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem
<p>A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet argume
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is
A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a speci
Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions has an SSRF vulnerability via the username parame
An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low
Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7 and 8.4 allows
Microsoft Exchange Server Information Disclosure Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is re
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35680
GHSA-x3fg-4h2p-6mgp