Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network.
AnalysisAI
Server-side request forgery in Microsoft Exchange Server enables an authenticated low-privilege attacker to coerce the server into issuing outbound network requests to internal or external resources, resulting in information disclosure. Affected deployments span Exchange Server 2016 CU23, Exchange Server 2019 CU14 and CU15, and the current Subscription Edition - all at versions below their respective patched builds. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis, but the Changed scope in the CVSS vector indicates the server can reach resources beyond its own trust boundary, amplifying reconnaissance value for an already-authenticated adversary.
Technical ContextAI
CWE-918 (Server-Side Request Forgery) describes a class of vulnerability where an application accepts user-controlled input and uses it to construct and issue a server-side HTTP or network request without adequate validation. In Exchange Server, the attacker - holding at minimum a low-privilege mail account - can influence the destination or parameters of an internal request. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N is particularly informative: the Changed scope (S:C) confirms the vulnerability crosses a security boundary, meaning Exchange can be used as a proxy to reach internal services, cloud metadata endpoints (e.g., IMDS), or segmented network hosts that would otherwise be unreachable from the attacker's position. Affected CPE targets span Exchange 15.01.x (Exchange 2016) and 15.02.x (Exchange 2019 and Subscription Edition) build families as enumerated in ENISA EUVD-2026-35678.
RemediationAI
The vendor-released patch is available via Microsoft's Security Response Center. Administrators should update Exchange Server 2016 CU23 to build 15.01.2507.069 or later, Exchange Server 2019 CU14 to build 15.02.1544.041 or later, Exchange Server 2019 CU15 to build 15.02.1748.046 or later, and Exchange Server Subscription Edition to build 15.02.2562.043 or later. Patch guidance and downloads are detailed at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45502. Where immediate patching is not feasible, the SSRF attack surface can be partially reduced by restricting outbound HTTP/HTTPS connectivity from Exchange servers to only required destinations via egress firewall rules - this limits the value of any internal probe attempts but does not eliminate the vulnerability. Blocking access from untrusted low-privilege accounts to Exchange web-facing endpoints (e.g., via network segmentation or conditional access policies) would further constrain attacker reach, at the cost of potentially disrupting legitimate Outlook Web Access or EWS usage patterns. Patching remains the only definitive remediation.
More in Exchange Server
View allMicrosoft Exchange Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remote
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem
<p>A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet argume
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is
A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a speci
Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions has an SSRF vulnerability via the username parame
An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low
Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7 and 8.4 allows
Microsoft Exchange Server Information Disclosure Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is re
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35678
GHSA-pg2w-h945-7pf7