The vulnerability is a server‑side request forgery that permits an authorized attacker to disclose information over a network. The flaw is an improper authorization vulnerability in Microsoft Exchange Server that allows an authenticated attacker to read data over the network. Additionally, the vulnerability is classified as CWE‑918, representing a server‑side request forgery that may allow an attacker to access internal resources. An attacker who can authenticate to the Exchange Server can gain confidentiality of data not intended for that user. The CVSS score of 8.1 reflects the high confidentiality impact of this scenario.

Microsoft Exchange Server 2016 cumulative update 23, Microsoft Exchange Server 2019 cumulative update 14, Microsoft Exchange Server 2019 cumulative update 15, and Microsoft Exchange Server Subscription Edition RTM are all affected, as identified by the CNA and reflected in the CVE vendor/product listings.

Because the attacker must possess valid credentials, the most likely attack surface is within an internal network or through a compromised account. The likely attack vector is remote, as the information can be disclosed over a network, but this inference is drawn from the description rather than an explicit statement. No known exploits appear in CISA’s KEV catalog and the EPSS score of 0.00428 indicates a very low probability of exploitation, yet the high CVSS score indicates a significant potential for confidentiality breaches if privileged accounts are not tightly controlled.