// Alert

Microsoft 365 threat report

Public proof-of-concept exploit released for CVE-2026-45504, a server-side request forgery vulnerability in Microsoft Exchange Server 2016 and 2019 that enables privilege escalation via arbitrary file reads. The flaw allows authenticated attackers with low privileges to exfiltrate sensitive files, credentials, and configuration data from on-premises Exchange deployments. Microsoft released patches on June 9, 2026; unpatched systems face significant risk as functional exploit code is now publicly available.

// Get alerts for Microsoft 365