HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45503Published Modified CNA microsoft

CVE-2026-45503: Microsoft Exchange Server Information Disclosure Vulnerability

Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
15.01.2507.069
Affected Products
4

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Server-side request forgery (SSRF) in Microsoft Exchange Server allows an authenticated attacker to make the server issue HTTP requests to internal or external resources on the attacker's behalf. The vulnerability is reachable over the network and requires only a low-privilege account; no victim interaction is needed. Successful exploitation discloses sensitive information and enables tampering with data accessible to the Exchange server process. Patched-image rebuilds at the applicable fix versions are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection for CVE-2026-45503 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all container images in customer registries and build pipelines, including custom-built Exchange-based images. Coverage applies to every affected version range listed in the advisory.

Available
Triage

HarborGuard scores this CVE at CVSS 8.1 (HIGH) using the published v3.1 vector, and per-environment compliance policy weighting can elevate or suppress alert priority based on each customer's risk profile. Triage findings are routed to the inbox or ticketing integration configured for each customer org.

Available
Patch

Patched-image rebuilds at versions 15.01.2507.069, 15.02.1544.041, 15.02.1748.046, and 15.02.2562.043 become available on HarborGuard as soon as the upstream packages are published. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Exchange Server over the network; the service must be accessible from the attacker's position on the internet or internal network.

  • AuthenticationRequired

    A low-privilege Exchange account is sufficient; no administrator or elevated role is needed, but the attacker must have valid credentials.

  • Victim interactionNot required

    The attacker does not need any user or administrator to take an action; exploitation is fully attacker-driven.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or non-standard environmental setup.

Blast Radius

  • Reads internal network responses that Exchange would not normally expose, potentially surfacing internal hostnames, IP addresses, service banners, or credential material from backend systems.
  • Tampers with or forges requests to internal services reachable by the Exchange server process, which can alter data or trigger unintended state changes in those systems.
  • Enables reconnaissance of internal infrastructure by bouncing requests through the Exchange server to probe otherwise firewalled services.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45503 is active across all customer image scans as of minutes after publication. For environments running any affected Exchange version (Exchange 2016 CU23, Exchange 2019 CU14, CU15, or Subscription Edition RTM), rebuilt images at the patched cumulative update versions are available as soon as upstream packages are indexed. Where compliance policy permits auto-remediation, HarborGuard can perform the image rebuild, execute a regression test run, and open a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who manage remediation manually will see the affected images flagged in their dashboard with the specific version ranges and fix targets pre-populated.

See how HarborGuard automates this

Fix available

15.01.2507.06915.02.1544.04115.02.1748.04615.02.2562.043
Patch commits
Affected packages
  • Microsoft / Microsoft Exchange Server 2016 Cumulative Update 23
    < 15.01.2507.069 (from 15.01.0.0)
  • Microsoft / Microsoft Exchange Server 2019 Cumulative Update 14
    < 15.02.1544.041 (from 15.02.0.0)
  • Microsoft / Microsoft Exchange Server 2019 Cumulative Update 15
    < 15.02.1748.046 (from 15.02.0.0)
  • Microsoft / Microsoft Exchange Server Subscription Edition RTM
    < 15.02.2562.043 (from 15.02.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
References