Understanding Microsoft Exchange CVE‑2026‑45504: High‑Risk SSRF Vulnerability
CVE‑2026‑45504, disclosed on Microsoft’s Patch Tuesday (June 9, 2026), is a high‑severity SSRF flaw (CWE‑918) in Exchange Server that lets a low‑privileged authenticated user trigger internal requests, leading to privilege escalation with a CVSS score of 8.8.
Vulnerability Overview
CVE‑2026‑45504 was disclosed on June 9, 2026, during Microsoft’s Patch Tuesday. It is classified as a Server‑Side Request Forgery (SSRF) vulnerability (CWE‑918) with a CVSS 3.1 rating of 8.8, indicating a high‑severity risk. An attacker only needs a low‑privileged, authenticated Exchange account and no user interaction to exploit the flaw over the network.
Root Cause and Impact
The flaw resides in Exchange Server’s handling of user‑supplied URLs or hostnames, which are not strictly validated. A low‑privileged authenticated user can craft malicious requests that force the Exchange server to issue HTTP/HTTPS calls to internal resources such as loopback addresses or sensitive management interfaces. Because these forged requests originate from the server’s system or service account, they inherit high‑trust privileges. In environments where Exchange tightly integrates with Active Directory and internal APIs, the attacker can bypass perimeter controls, read or modify high‑privilege resources (e.g., mailbox permissions, transport rules, role assignments), and achieve lateral movement and full control of the corporate network.
Affected Versions
The vulnerability affects supported on‑premises deployments of:
Microsoft Exchange Server 2016 (Cumulative Update 23)
Microsoft Exchange Server 2019 (Cumulative Update 14 & 15)
Microsoft Exchange Server Subscription Edition (SE) RTM
Organizations running these versions should apply the relevant security updates released in the June 2026 Patch Tuesday to mitigate the risk.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
