Microsoft Exchange Server SSRF Vulnerability: Details and Public Proof-of-Concept Exploit Released — Arbitrary File Read via Low-Privilege User

Microsoft Exchange Server SSRF Vulnerability: Details and Public Proof-of-Concept Exploit Released — Arbitrary File Read via Low-Privilege User

CVE: Pending | CVSS: 8.6 (High) | Vendor: Microsoft | Product: Exchange Server (On-Premises)


What Is the Vulnerability

A high-severity server-side request forgery (SSRF) vulnerability has been disclosed in Microsoft Exchange Server on-premises deployments. The flaw allows an authenticated attacker with low-privilege user credentials (any mailbox user) to perform arbitrary file reads from the Exchange server’s filesystem. Attackers can exfiltrate sensitive files including web.config (containing encryption keys and connection strings), cached credentials, mailbox data, and other configuration files stored on the Exchange server.

Microsoft Exchange Server remains one of the most heavily targeted enterprise applications in the world. Previous Exchange vulnerabilities — most notably ProxyLogon, ProxyShell, and ProxyNotShell — led to widespread compromises and ransomware deployments. SSRF vulnerabilities in Exchange are particularly dangerous because they often serve as the initial access vector in complex attack chains, enabling privilege escalation and lateral movement throughout the target environment.

A public proof-of-concept exploit has been released alongside the vulnerability details, significantly lowering the barrier to exploitation.

Versions Affected

  • Microsoft Exchange Server 2019 (all CU versions prior to the July 2026 security update)
  • Microsoft Exchange Server 2016 (all CU versions prior to the July 2026 security update)
  • Exchange Server 2013 and earlier are EOL and may be affected; immediate upgrade recommended

Exploited?

No confirmed active exploitation at the time of writing, but a public PoC is available. The combination of a published proof-of-concept, the low privilege requirement (any mailbox user), and Exchange’s status as a perennial top target creates a high-risk scenario. Security researchers expect exploitation to begin imminently. Given the pattern of previous Exchange vulnerabilities, addition to the CISA Known Exploited Vulnerabilities (KEV) catalog is likely within days if active exploitation is confirmed.

Fix

Apply the latest Microsoft Exchange Server security updates immediately:

  • Exchange Server 2019: Apply the July 2026 Security Update (SU)
  • Exchange Server 2016: Apply the July 2026 Security Update (SU)
  • Exchange Server 2013 and earlier: No patch available; upgrade to a supported version

Note that Exchange security updates are cumulative; ensure all prior updates are applied before installing the latest SU. The Exchange Server Health Checker script can verify your patch level and configuration.

Recommendations

  • Apply Exchange security updates immediately. Prioritise externally facing Exchange servers, but patch all servers in the organisation as internal lateral movement is a key risk.
  • Restrict access to Exchange by placing it behind a VPN or enforcing IP allow-lists where possible. Reduce the attack surface by disabling unnecessary services and protocols.
  • Monitor for CISA KEV addition and update your vulnerability management programme accordingly. If the CVE is added to KEV, treat it as actively exploited and escalate remediation.
  • Audit Exchange server access logs for suspicious file read operations, unusual authentication patterns, and indicators consistent with the published PoC.
  • Harden Exchange servers using Microsoft’s published security baseline. Implement Extended Protection and disable legacy authentication protocols where feasible.

References

  • CybersecurityNews — Exchange SSRF coverage
  • Public Proof-of-Concept exploit (GitHub)
  • Microsoft Security Response Center advisory

Part of the Vulnerability Intelligence series. See the July 3, 2026 VIR.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!