Description
Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.
Published: 2026-06-09
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a server-side request forgery that enables an attacker already authenticated to the Exchange Server with limited privileges to gain higher privileges. The single flaw allows the attacker to instruct the server to issue requests on its behalf, which can lead to unauthorized access, data extraction, or further compromise of the Exchange infrastructure.

Affected Systems

Microsoft Exchange Server 2016 cumulative update 23, Microsoft Exchange Server 2019 cumulative update 14, Microsoft Exchange Server 2019 cumulative update 15, and Microsoft Exchange Server Subscription Edition RTM are affected.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity with potential for full privilege escalation. While the EPSS score is not available, the vulnerability is exploitable remotely over the network by an authorized user. The vulnerability is not listed in the CISA KEV catalog, but the high CVSS suggests a significant risk, especially in environments where privileged accounts are not properly segregated.

Generated by OpenCVE AI on June 9, 2026 at 19:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the latest cumulative update for your Exchange Server version from the Microsoft Security Response Center; for Exchange 2016 use cumulative update 23, for Exchange 2019 use cumulative update 14 or 15, and for Subscription Edition RTM apply the newest available patch.
  • Restart the Exchange services (or the entire server if required) to complete the installation of the cumulative update.
  • After the patch, review outbound network policies and restrict the Exchange server from making arbitrary HTTP/HTTPS requests to untrusted hosts to reduce the potential impact of any future SSRF attacks.

Generated by OpenCVE AI on June 9, 2026 at 19:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft microsoft Exchange Server 2016 Cumulative Update 23
Microsoft microsoft Exchange Server 2019 Cumulative Update 14
Microsoft microsoft Exchange Server 2019 Cumulative Update 15
Microsoft microsoft Exchange Server Subscription Edition Rtm
Vendors & Products Microsoft microsoft Exchange Server 2016 Cumulative Update 23
Microsoft microsoft Exchange Server 2019 Cumulative Update 14
Microsoft microsoft Exchange Server 2019 Cumulative Update 15
Microsoft microsoft Exchange Server Subscription Edition Rtm

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.
Title Microsoft Exchange Server Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft exchange Server 2016
Microsoft exchange Server 2019
Microsoft exchange Server Se
Weaknesses CWE-918
CPEs cpe:2.3:a:microsoft:exchange_server_2016:*:cumulative_update_23:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_14:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_15:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_se:*:RTM:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft exchange Server 2016
Microsoft exchange Server 2019
Microsoft exchange Server Se
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Exchange Server 2016 Exchange Server 2019 Exchange Server Se Microsoft Exchange Server 2016 Cumulative Update 23 Microsoft Exchange Server 2019 Cumulative Update 14 Microsoft Exchange Server 2019 Cumulative Update 15 Microsoft Exchange Server Subscription Edition Rtm
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:49:59.772Z

Reserved: 2026-05-12T16:07:22.619Z

Link: CVE-2026-45504

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:26.257

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45504

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T21:15:05Z

Weaknesses