Server-Side Request Forgery Vulnerability in Microsoft Exchange Server
CVE-2026-45504
Key Information:
- Vendor
Microsoft
- Status
- Vendor
- CVE Published:
- 9 June 2026
Badges
What is CVE-2026-45504?
CVE-2026-45504 is a critical vulnerability found in Microsoft Exchange Server, a widely used email and calendaring platform primarily utilized by organizations for communication and collaboration. This vulnerability pertains to server-side request forgery (SSRF), which enables an authorized attacker to manipulate the server into making unintended requests to internal resources. By exploiting this flaw, attackers can potentially elevate their privileges within the network, leading to unauthorized access to sensitive data or other networked systems. The implications of this vulnerability are significant, as it could result in severe data breaches, manipulation of internal services, and the possibility of lateral movement within the network by malicious actors.
Potential Impact of CVE-2026-45504
-
Unauthorized Access and Data Exposure: Exploiting this vulnerability can allow attackers to gain extensive access to internal resources that are typically protected, potentially leading to the exposure of sensitive organizational data.
-
Privilege Escalation: With the ability to elevate privileges, attackers could execute unauthorized actions within the network, including modifying configurations or accessing highly secured systems, compounding the impact of the initial breach.
-
Increased Risk of Malware Infiltration: The exploitation of CVE-2026-45504 creates opportunities for attackers to deploy malware within the internal network, enhancing the likelihood of further compromises or the deployment of ransomware, increasing the overall risk profile for affected organizations.
Affected Version(s)
Microsoft Exchange Server 2016 Cumulative Update 23 x64-based Systems 15.01.0.0 < 15.01.2507.069
Microsoft Exchange Server 2019 Cumulative Update 14 x64-based Systems 15.02.0.0 < 15.02.1544.041
Microsoft Exchange Server 2019 Cumulative Update 15 x64-based Systems 15.02.0.0 < 15.02.1748.046
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
PoC Exploit Released for Microsoft Exchange Server Elevation of Privilege Vulnerability - IT Security News
A public proof-of-concept exploit is now available for CVE-2026-45504, a high‑severity server-side request forgery vulnerability in Microsoft Exchange Server that enables privilege escalation via arbitrary file reads. The flaw affects on‑premises Exchange Server 2016 and 2019, including Subscription...
1 week ago
PoC Exploit Released for Microsoft Exchange Server Elevation of Privilege Vulnerability
A public PoC has been released for CVE-2026-45504, an Exchange Server flaw that enables arbitrary file reads and privilege escalation.
1 week ago

References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
- 📰
First article discovered by Cybersecuritynews
Vulnerability published
Vulnerability Reserved