HIGH 8.8

CVE-2026-45504: Microsoft Exchange Server SSRF Privilege Escalation Vulnerability

CVE-2026-45504 is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server that allows an authenticated attacker to escalate their privileges across the network. Because the vulnerability requires valid credentials to exploit, the immediate risk is contained to authorized users—however, any user account (even low-privileged ones) can potentially pivot to higher access levels within the Exchange environment and potentially beyond. With a CVSS score of 8.8, this is rated HIGH severity and merits prompt patching.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-918
Affected products
4 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability exploits SSRF principles (CWE-918) within Microsoft Exchange Server's request handling. An authenticated attacker can craft malicious requests that cause the Exchange server to make unintended server-side calls, bypassing normal authentication or authorization checks. By chaining this SSRF behavior with privilege escalation techniques, an attacker with user-level credentials can gain higher-level access to the Exchange infrastructure. The network-accessible nature (AV:N) and low attack complexity (AC:L) mean that any authenticated user on the network can attempt exploitation.

Business impact

Compromise of Exchange Server accounts through privilege escalation can lead to unauthorized access to email data, calendar information, and other sensitive communications. An attacker escalating within Exchange can potentially pivot to other systems, exfiltrate business records, modify mail flows, or establish persistence. For organizations relying on Exchange for business continuity, this vulnerability poses a risk to confidentiality, integrity, and availability of messaging infrastructure.

Affected systems

Microsoft Exchange Server (multiple versions) and Microsoft Exchange Server Subscription Edition are affected. Consult the official Microsoft security advisory to determine which specific build versions, cumulative updates, or subscription tiers require patching. Organizations running any supported version of Exchange Server should assume their systems are potentially vulnerable until patches are applied.

Exploitability

This vulnerability requires an attacker to already possess valid authentication credentials—either through legitimate access, credential theft, or prior compromise. It cannot be exploited by unauthenticated remote users. However, the combination of low attack complexity and network accessibility means that once an attacker has any valid Exchange user account (including generic service accounts or low-privileged mailbox users), exploitation is straightforward. Public exploit code is not currently known to be widely available, but the vulnerability's mechanics are well-understood in the security community.

Remediation

Immediate action: apply the latest security update from Microsoft for your specific version of Exchange Server. Microsoft typically releases patches through monthly cumulative updates (CUs). Verify the patch version against Microsoft's official security advisory to ensure the CVSS 8.8 SSRF vulnerability is addressed. Concurrent controls include restricting Exchange server network access to trusted hosts, reviewing privileged account usage, and monitoring for suspicious SSRF-related patterns in Exchange logs.

Patch guidance

Contact Microsoft or consult their official security advisory to obtain the specific cumulative update or security update that resolves CVE-2026-45504. Patch deployment should be treated as urgent given the HIGH severity rating. Test patches in a non-production environment first. For organizations with multiple Exchange servers, implement a phased rollout to minimize service disruption while maintaining coverage. After patching, verify that the vulnerable code path is no longer accessible.

Detection guidance

Monitor Exchange Server logs for anomalous request patterns, particularly requests originating from authenticated sessions that attempt to connect to unexpected internal or external hosts. Look for HTTP requests with unusual Host headers, requests to localhost or private IP ranges from Exchange processes, or authentication-bypass attempts. Network IDS/IPS signatures focused on SSRF patterns may flag exploitation attempts. Correlate authentication logs with suspicious outbound connections initiated by the Exchange service account.

Why prioritize this

With a CVSS score of 8.8 (HIGH), this vulnerability should be prioritized within your patch schedule. Although it requires authentication, the privilege escalation outcome—combined with Exchange Server's central role in most organizations' infrastructure—makes it a significant risk. The vulnerability is not yet in the CISA Known Exploited Vulnerabilities catalog, providing a narrow window to patch before active exploitation becomes commonplace. Delay increases the likelihood of compromise.

Risk score, explained

The score of 8.8 reflects the combination of network accessibility (AV:N), low attack complexity (AC:L), and requirement for low-level privileges (PR:L) balanced against high impact to confidentiality, integrity, and availability (C:H/I:H/A:H). While authentication is required, once an attacker possesses any valid user credentials, the path to elevated access is direct and impactful. The score does not indicate critical (9.0+), but it is firmly in the HIGH range, warranting urgent remediation.

Frequently asked questions

Can this vulnerability be exploited without a valid user account?

No. CVE-2026-45504 requires the attacker to possess valid authentication credentials for the Exchange Server. Unauthenticated remote exploitation is not possible. However, this does not eliminate risk: compromised accounts, shared service accounts, or low-privileged user credentials all meet the authentication requirement.

Is this vulnerability currently being exploited in the wild?

As of the publication date, CVE-2026-45504 is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, which suggests widespread active exploitation has not been publicly documented. However, this does not guarantee the vulnerability will not be exploited; organizations should patch proactively rather than wait for evidence of active attacks.

What should we do if we cannot patch Exchange Server immediately?

Implement compensating controls: restrict Exchange Server network access to known, trusted hosts; enforce strong authentication and multi-factor authentication for all Exchange accounts; monitor Exchange logs aggressively for SSRF and privilege escalation indicators; and consider isolating critical Exchange servers from untrusted networks. These measures reduce risk but do not eliminate it; patching remains the definitive remediation.

Will applying a standard Windows Update fix this vulnerability?

CVE-2026-45504 is specific to Microsoft Exchange Server and requires a dedicated Exchange Server security update or cumulative update, not a general Windows OS patch. Consult the official Microsoft security advisory to identify the correct update package for your Exchange version and deployment model.

This analysis is based on vendor-provided information and threat intelligence available as of the publication date. Organizations must verify all patch versions, affected product builds, and remediation steps against the official Microsoft security advisory before implementing changes. SEC.co does not provide guarantee of accuracy for vendor-supplied data and recommends independent validation of all technical details. No exploit code or detailed attack mechanics are provided herein; this content is intended for authorized security professionals and system administrators only. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).