Microsoft Exchange SSRF Vulnerability (CVE-2026-45502) Exploit Released
A proof-of-concept (PoC) exploit has been published for CVE-2026-45502, a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server’s Exchange Web Services (EWS). The flaw affects Exchange Server 2016 (CU23), 2019 (CU14 and CU15), and the Subscription Edition (RTM), allowing authenticated mailbox users to manipulate the ManifestUrl parameter in an InstallApp SOAP request to force the server to send HTTP requests to attacker-controlled internal or external endpoints.
Microsoft rates the vulnerability as medium severity (CVSS 3.1: 5.0), though a CVSS 4.0 assessment lowers it to 2.3 (low). The issue stems from insufficient URL validation in the SynchronousDownloadData.DownloadDataFromUri() function, which processes user-supplied ManifestUrl values during EWS add-in installations. In on-premises deployments, a logic error where the isBposUser flag is always false disables internal-address blocking, enabling the server to trust arbitrary URLs.
Exploiting this flaw turns Exchange into a network proxy, allowing access to internal HTTP services, metadata endpoints (e.g., 169.254.169.254), and other restricted resources. While the SSRF is largely blind, researchers demonstrated that HTTP error codes and timing can be used for internal reconnaissance, potentially chaining with other vulnerabilities.
A PoC workflow was released, showing how an attacker can send a crafted EWS InstallApp request with a ManifestUrl pointing to an attacker-controlled listener, confirming the SSRF when the Exchange server initiates a callback.
Microsoft patched CVE-2026-45502 in the June 9, 2026 Patch Tuesday (KB5094139), replacing the flawed isBposUser logic with a feature-flag-driven model and introducing ManifestUrlCheck, an allowlist restricting connections to trusted domains like officeclient.microsoft.com. Organizations must ensure their Exchange servers are updated to the fixed versions to mitigate risk.
Defenders are advised to restrict outbound connectivity from Exchange servers, monitor for anomalous HTTP traffic, and enforce strict access controls on EWS endpoints, as valid credentials are required for exploitation.
Source: https://gbhackers.com/poc-released-for-microsoft-exchange-server-vulnerability/
Microsoft Security cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security
"id": "MIC1782296659",
"linkid": "microsoft-security",
"type": "Vulnerability",
"date": "6/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'industry': 'Technology/Enterprise Software',
'location': 'Global',
'name': 'Microsoft Exchange Server',
'type': 'Software/Server'}],
'attack_vector': 'Authenticated EWS InstallApp SOAP request with manipulated '
'ManifestUrl parameter',
'date_publicly_disclosed': '2026-06-09',
'date_resolved': '2026-06-09',
'description': 'A proof-of-concept (PoC) exploit has been published for '
'CVE-2026-45502, a server-side request forgery (SSRF) '
'vulnerability in Microsoft Exchange Server’s Exchange Web '
'Services (EWS). The flaw affects Exchange Server 2016 (CU23), '
'2019 (CU14 and CU15), and the Subscription Edition (RTM), '
'allowing authenticated mailbox users to manipulate the '
'ManifestUrl parameter in an InstallApp SOAP request to force '
'the server to send HTTP requests to attacker-controlled '
'internal or external endpoints.',
'impact': {'operational_impact': 'Exchange server can be used as a network '
'proxy for internal reconnaissance',
'systems_affected': 'Microsoft Exchange Server 2016 (CU23), 2019 '
'(CU14, CU15), Subscription Edition (RTM)'},
'lessons_learned': 'Insufficient URL validation in Exchange Web Services can '
'lead to SSRF vulnerabilities, enabling internal '
'reconnaissance. Strict access controls and outbound '
'connectivity restrictions are critical for mitigation.',
'post_incident_analysis': {'corrective_actions': 'Replaced isBposUser logic '
'with feature-flag-driven '
'model and introduced '
'ManifestUrlCheck allowlist',
'root_causes': 'Insufficient URL validation in '
'SynchronousDownloadData.DownloadDataFromUri() '
'function and flawed isBposUser '
'logic'},
'recommendations': ['Apply Microsoft’s June 2026 Patch Tuesday update '
'(KB5094139) immediately',
'Restrict outbound connectivity from Exchange servers',
'Monitor for anomalous HTTP traffic',
'Enforce strict access controls on EWS endpoints'],
'references': [{'source': 'Microsoft Security Update Guide'}],
'response': {'containment_measures': 'Patch deployment (KB5094139), restrict '
'outbound connectivity from Exchange '
'servers',
'enhanced_monitoring': 'Monitor for anomalous HTTP traffic',
'remediation_measures': 'Microsoft patched the vulnerability in '
'June 2026 Patch Tuesday (KB5094139), '
'replacing flawed logic with a '
'feature-flag-driven model and '
'introducing ManifestUrlCheck allowlist'},
'title': 'Microsoft Exchange SSRF Vulnerability (CVE-2026-45502) Exploit '
'Released',
'type': 'SSRF (Server-Side Request Forgery)',
'vulnerability_exploited': 'CVE-2026-45502'}