Understanding Microsoft Exchange CVE‑2026‑45504: High‑Risk SSRF Vulnerability

CVE‑2026‑45504, disclosed on Microsoft’s Patch Tuesday (June 9, 2026), is a high‑severity SSRF flaw (CWE‑918) in Exchange Server that lets a low‑privileged authenticated user trigger internal requests, leading to privilege escalation with a CVSS score of 8.8.

Black & White Path
Black & White Path
Black & White Path
Understanding Microsoft Exchange CVE‑2026‑45504: High‑Risk SSRF Vulnerability

Vulnerability Overview

CVE‑2026‑45504 was disclosed on June 9, 2026, during Microsoft’s Patch Tuesday. It is classified as a Server‑Side Request Forgery (SSRF) vulnerability (CWE‑918) with a CVSS 3.1 rating of 8.8, indicating a high‑severity risk. An attacker only needs a low‑privileged, authenticated Exchange account and no user interaction to exploit the flaw over the network.

Root Cause and Impact

The flaw resides in Exchange Server’s handling of user‑supplied URLs or hostnames, which are not strictly validated. A low‑privileged authenticated user can craft malicious requests that force the Exchange server to issue HTTP/HTTPS calls to internal resources such as loopback addresses or sensitive management interfaces. Because these forged requests originate from the server’s system or service account, they inherit high‑trust privileges. In environments where Exchange tightly integrates with Active Directory and internal APIs, the attacker can bypass perimeter controls, read or modify high‑privilege resources (e.g., mailbox permissions, transport rules, role assignments), and achieve lateral movement and full control of the corporate network.

Affected Versions

The vulnerability affects supported on‑premises deployments of:

Microsoft Exchange Server 2016 (Cumulative Update 23)

Microsoft Exchange Server 2019 (Cumulative Update 14 & 15)

Microsoft Exchange Server Subscription Edition (SE) RTM

Organizations running these versions should apply the relevant security updates released in the June 2026 Patch Tuesday to mitigate the risk.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

privilege escalationSecurity VulnerabilityssrfPatch TuesdayCVE-2026-45504CWE-918Microsoft Exchange
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.