MEDIUM 5.0

CVE-2026-45502: Microsoft Exchange Server SSRF Information Disclosure Vulnerability

A server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server allows an authenticated attacker to make the server issue requests on their behalf, potentially exposing sensitive network information. An attacker with valid credentials can craft requests that cause the Exchange server to connect to internal resources and leak data back to them. This requires prior authentication but poses a meaningful information disclosure risk within trusted network boundaries.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.0 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Weaknesses (CWE)
CWE-918
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45502 is a Server-Side Request Forgery (CWE-918) vulnerability in Microsoft Exchange Server that permits an authenticated attacker to initiate arbitrary network requests from the Exchange server's context. The vulnerability does not require user interaction and operates at the network level. The attack surface is confined to authenticated users, limiting exposure but not eliminating it. The resulting information disclosure is scoped to the network layer, allowing an attacker to enumerate or exfiltrate data from internal hosts that trust the Exchange server or are accessible from its network segment.

Business impact

While authentication is required, SSRF vulnerabilities can enable attackers to pivot deeper into network infrastructure, discover and probe internal services, and potentially access sensitive data repositories not directly exposed to the internet. In environments where Exchange credentials are compromised or insider threats are a concern, this vulnerability becomes a pathway for lateral movement and reconnaissance. Organizations should assess whether the confidentiality impact of internal network enumeration and data exposure aligns with their risk tolerance.

Affected systems

Microsoft Exchange Server (multiple editions) and Microsoft Exchange Server Subscription Edition are affected. Verify exact version ranges and availability of updates against the Microsoft security advisory, as patch availability may vary by release branch and support lifecycle.

Exploitability

Exploitability is straightforward for authenticated users with valid credentials. An attacker does not need to trick users or bypass additional controls; they can directly invoke the vulnerable code path. However, the requirement for prior authentication—obtaining or compromising valid Exchange credentials—raises the barrier to opportunistic external exploitation. The attack cannot be executed unauthenticated. In environments with weak credential hygiene or high insider threat risk, exploitability escalates materially.

Remediation

Apply the security patch provided by Microsoft for your affected Exchange Server version as soon as practical. Microsoft's advisory should specify patch availability by product version and servicing channel. Organizations unable to patch immediately should review authentication controls to Exchange and monitor for suspicious authenticated activity. Network segmentation limiting Exchange server outbound connectivity can reduce the risk of information exfiltration to external targets.

Patch guidance

Consult the Microsoft security advisory for CVE-2026-45502 to identify the correct patch version for your Exchange Server edition and deployment model (on-premises vs. subscription-based). Test patches in a non-production environment before enterprise deployment to ensure compatibility with your configuration. Organizations on extended support or custom configurations should verify patch applicability and any dependencies before rollout.

Detection guidance

Monitor Exchange Server logs for unusual outbound network connections originating from the server process, particularly to non-standard ports or internal IP ranges. Observe authenticated session behavior for requests that attempt to access external URLs or internal network resources unusual for normal operations. Consider implementing egress filtering or proxy logging to capture and alert on unexpected Exchange-initiated traffic. Audit successful and failed authentication events to identify credential compromise that could enable this attack.

Why prioritize this

This vulnerability merits near-term attention but not emergency-level response. The CVSS 3.1 score of 5.0 (Medium severity) reflects low attack complexity and no user interaction against a large attack surface (CVSS AV:N). However, authentication requirement limits immediate external threat. Organizations should prioritize patching on a standard security cycle (within 30–60 days) while focusing higher-priority resources on unpatched critical vulnerabilities. Environments with weak identity controls or recent credential incidents should elevate urgency.

Risk score, explained

The CVSS 3.1 score of 5.0 is driven by: Network accessibility (AV:N) and low complexity (AC:L) increase exposure; authentication requirement (PR:L) substantially reduces attack surface; scope change (S:C) acknowledges the ability to impact other systems; confidentiality impact (C:L) reflects information disclosure, while integrity and availability remain unaffected (I:N/A:N). The resulting Medium severity appropriately captures a real but bounded risk that does not pose immediate system compromise or widespread availability concerns.

Frequently asked questions

Can this vulnerability be exploited without valid Exchange Server credentials?

No. The vulnerability requires prior authentication (PR:L in the CVSS vector). An attacker must have valid Exchange credentials or must first compromise an authorized user account. This substantially narrows the attack surface compared to unauthenticated SSRF flaws.

What internal data or systems could be exposed through this SSRF?

An attacker can cause the Exchange server to issue network requests and receive responses, potentially probing or exfiltrating data from internal services, databases, or metadata endpoints that trust or are accessible from the Exchange server's network position. The exact scope depends on network segmentation, firewall rules, and internal service exposure. Most at-risk are unencrypted or poorly segmented internal services.

Does this vulnerability affect Exchange Online or only on-premises Exchange Server?

The advisory lists both on-premises Exchange Server editions and Exchange Server Subscription Edition. Organizations should verify coverage via the Microsoft security advisory to determine whether their specific deployment model and version are affected and whether patches or mitigations are available.

If we cannot patch immediately, what interim controls reduce risk?

Strengthen authentication controls (multi-factor authentication, password complexity, privileged access management). Implement network egress filtering to restrict outbound connections from Exchange servers to authorized endpoints only. Enhance logging and alerting on Exchange outbound traffic and authenticated session anomalies. These measures reduce both the likelihood of credential compromise and the impact of exploitation if it occurs.

This analysis is provided for informational purposes by SEC.co and does not constitute professional security advice. Organizations should conduct their own risk assessment based on their environment, deployment model, and threat landscape. Verify all patch versions, affected product lists, and remediation steps against the official Microsoft security advisory. SEC.co makes no warranty regarding the completeness or accuracy of external vendor advisories. Always test patches in non-production environments before broad deployment. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).