Server-Side Request Forgery Vulnerability in Microsoft Exchange Server
CVE-2026-45504

8.8HIGH

What is CVE-2026-45504?

CVE-2026-45504 is a critical vulnerability found in Microsoft Exchange Server, a widely used email and calendaring platform primarily utilized by organizations for communication and collaboration. This vulnerability pertains to server-side request forgery (SSRF), which enables an authorized attacker to manipulate the server into making unintended requests to internal resources. By exploiting this flaw, attackers can potentially elevate their privileges within the network, leading to unauthorized access to sensitive data or other networked systems. The implications of this vulnerability are significant, as it could result in severe data breaches, manipulation of internal services, and the possibility of lateral movement within the network by malicious actors.

Potential Impact of CVE-2026-45504

  1. Unauthorized Access and Data Exposure: Exploiting this vulnerability can allow attackers to gain extensive access to internal resources that are typically protected, potentially leading to the exposure of sensitive organizational data.

  2. Privilege Escalation: With the ability to elevate privileges, attackers could execute unauthorized actions within the network, including modifying configurations or accessing highly secured systems, compounding the impact of the initial breach.

  3. Increased Risk of Malware Infiltration: The exploitation of CVE-2026-45504 creates opportunities for attackers to deploy malware within the internal network, enhancing the likelihood of further compromises or the deployment of ransomware, increasing the overall risk profile for affected organizations.

Affected Version(s)

Microsoft Exchange Server 2016 Cumulative Update 23 x64-based Systems 15.01.0.0 < 15.01.2507.069

Microsoft Exchange Server 2019 Cumulative Update 14 x64-based Systems 15.02.0.0 < 15.02.1544.041

Microsoft Exchange Server 2019 Cumulative Update 15 x64-based Systems 15.02.0.0 < 15.02.1748.046

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

PoC Exploit Released for Microsoft Exchange Server Elevation of Privilege Vulnerability - IT Security News

A public proof-of-concept exploit is now available for CVE-2026-45504, a high‑severity server-side request forgery vulnerability in Microsoft Exchange Server that enables privilege escalation via arbitrary file reads. The flaw affects on‑premises Exchange Server 2016 and 2019, including Subscription...

1 week ago

PoC Exploit Released for Microsoft Exchange Server Elevation of Privilege Vulnerability

A public PoC has been released for CVE-2026-45504, an Exchange Server flaw that enables arbitrary file reads and privilege escalation.

1 week ago

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by Cybersecuritynews

  • Vulnerability published

  • Vulnerability Reserved

.