Microsoft Exchange Server Information Disclosure Vulnerability via Server-Side Request Forgery

A server-side request forgery (SSRF) vulnerability has been identified in Microsoft Exchange Server. This vulnerability allows an authorized attacker to disclose information over a network. It affects multiple versions of Exchange Server, including the Subscription Edition RTM, Exchange Server 2016 Cumulative Update 23, and Exchange Server 2019 Cumulative Updates 14 and 15. When exploited, the vulnerability could enable an authenticated user to access sensitive information about internal or external network services that the Exchange server can reach, such as the existence of a service and its response details. In some cases, error messages returned by the server might reveal network addresses, connection statuses, or limited response data from those services.

Impact

Exploitation of this vulnerability could lead to unauthorized information disclosure, allowing an attacker to access sensitive data about network services reachable by the Exchange server.

Remediation

Users can download the security update for this vulnerability through the Microsoft Update Catalog. Instructions for applying the update are available in the Microsoft Knowledge Base articles linked in the product-specific update details.