A proof-of-concept (PoC) exploit has been publicly released for a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server’s Exchange Web Services (EWS) component, tracked as CVE-2026-45502.
The flaw allows authenticated attackers to force Exchange servers to make outbound HTTP requests to arbitrary internal or external URLs, enabling internal network reconnaissance and unauthorized access to protected services.
The vulnerability resides in the SynchronousDownloadData.DownloadDataFromUri() method within Microsoft.Exchange.Data.ApplicationLogic.dll.
PoC for Microsoft Exchange SSRF Vulnerability
When an authenticated user submits an EWS InstallApp SOAP request containing a ManifestUrl Parameter, Exchange fetches the manifest from the supplied URL, and a critical design flaw causes all SSRF protections to be completely bypassed in on-premises deployments.
The intranet address check is gated on an isBposUser flag, a parameter set to true only for cloud-hosted Microsoft 365 (BPOS) tenants.
Since all on-premises Exchange deployments set this flag to false, the conditional check if (isBposUser && IsInternalUrlCheckEnabled() && ...) short-circuits immediately and no SSRF validation occurs whatsoever.
The server then makes an HTTP GET request to the attacker-controlled URL, appending a correlation ID parameter (corr=) in the process.
Microsoft assigned CVE-2026-45502 a CVSS 3.1 score of 5.0 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N.
An independent assessment under CVSS 4.0 yields a score of 2.3 (Low), reflecting the blind and semi-blind nature of the SSRF and the low privileges required. The vulnerability is classified under CWE-918 (SSRF) and CWE-863 (Incorrect Authorization).
Affected Products
The following Microsoft Exchange Server versions are confirmed vulnerable:
- Microsoft Exchange Server 2016 Cumulative Update 23
- Microsoft Exchange Server 2019 Cumulative Update 14
- Microsoft Exchange Server 2019 Cumulative Update 15
- Microsoft Exchange Server SE RTM
A researcher at Aretiq AI published the PoC script (poc_CVE-2026-45502.py) on June 22, 2026. The script starts a local HTTP listener on port 8888, then sends a crafted EWS InstallApp SOAP request with a <m:ManifestUrl> element pointing to the listener. On a vulnerable server, Exchange makes an HTTP GET callback to the listener confirming the SSRF.
Testing returned an EWS HTTP 200 OK with ResponseCode: ErrorInternalServerError, while the attacker’s listener simultaneously received a GET request to /ssrf-test?marker=CVE-2026-45502-SSRF-CONFIRMED&corr=<guid> sourced directly from the Exchange server IP. Exploitation requires only valid mailbox credentials and network access to port 443.
In real-world attack scenarios, adversaries could exploit this flaw to probe internal services, access cloud instance metadata endpoints such as AWS IMDS at 169.254.169.254, interact with internal REST or management APIs, or map the internal network topology through response-timing analysis.
Microsoft addressed CVE-2026-45502 in the June 2026 security update (KB5094139). The patch replaces the single isBposUser-gated check with a two-tier defense using new feature flags ManifestUrlValidation and ManifestUrlCheck both enabled by default.
The patched version enforces a URL allowlist, permitting only https://officeclient.microsoft.com and administrator-configured entries regardless of deployment type.
Organizations running on-premises Exchange are strongly urged to apply KB5094139 immediately and audit EWS access logs for anomalous InstallApp requests.
No Comment! Be the first one.