CVE-2018-8581

HIGH KEV RANSOMWARE

Microsoft Exchange Server - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2018-8581 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2022, with confirmed use in ransomware campaigns. EIP tracks 5 public exploits from researchers including Ridter, WyAtu, qiantu88.

AI-analyzed exploit summary This is a functional exploit for CVE-2018-8581, which leverages an NTLM relay attack against Microsoft Exchange servers via the Exchange Web Services (EWS) PushSubscription feature. The exploit sets up an HTTP relay server to capture and relay NTLM authentication, potentially leading to privilege escalation and credential dumping.

Description

An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka "Microsoft Exchange Server Elevation of Privilege Vulnerability." This affects Microsoft Exchange Server.

Exploits (5)

nomisec WORKING POC 375 stars
by Ridter · remote
https://github.com/Ridter/Exchange2domain

This is a functional exploit for CVE-2018-8581, which leverages an NTLM relay attack against Microsoft Exchange servers via the Exchange Web Services (EWS) PushSubscription feature. The exploit sets up an HTTP relay server to capture and relay NTLM authentication, potentially leading to privilege escalation and credential dumping.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Exchange Server (versions affected by CVE-2018-8581)
No auth needed
Prerequisites: Network access to the target Exchange server · Ability to intercept or relay NTLM authentication traffic · Valid credentials or hashes for initial authentication (optional)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 332 stars
by WyAtu · remote
https://github.com/WyAtu/CVE-2018-8581

This PoC exploits CVE-2018-8581, a Microsoft Exchange privilege escalation vulnerability, by manipulating NTLM authentication and serialized security contexts to add or remove delegates. It uses SOAP requests to exploit the vulnerability and requires valid credentials.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Exchange Server 2010 SP1/SP2/SP3, 2013, 2016
Auth required
Prerequisites: Valid credentials for an Exchange user · Access to the target Exchange server · Network connectivity to the Exchange server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 5 stars
by qiantu88 · remote-auth
https://github.com/qiantu88/CVE-2018-8581

This PoC exploits CVE-2018-8581, a privilege escalation vulnerability in Microsoft Exchange Server. It leverages NTLM relaying and serialized security context manipulation to add or remove delegate permissions on a target mailbox.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Exchange Server 2010 SP1/SP2/SP3, 2013, 2016
Auth required
Prerequisites: Valid credentials for an Exchange mailbox · Network access to the Exchange server · Control over an HTTP server for NTLM relaying
devstral-2 · analyzed Feb 16, 2026 Full analysis →
patchapalooza WORKING POC
by mirrors_WyAtu · poc
https://gitee.com/mirrors_WyAtu/CVE-2018-8581

This repository contains a functional Python exploit for CVE-2018-8581, a Microsoft Exchange privilege escalation vulnerability. The script automates the process of delegating mailbox access from a controlled email account to a target account, including adding and removing delegates.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Exchange Server 2010/2013/2016
Auth required
Prerequisites: Valid credentials for a controlled email account · Access to the target Exchange server · Python 2.7.14 with python-ntlm library
devstral-2 · analyzed Feb 23, 2026 Full analysis →
patchapalooza WORKING POC
by thezdi · remote
https://github.com/thezdi/PoC

The repository contains functional exploit code for CVE-2018-8581, specifically targeting Microsoft Exchange Server via an NTLM relay attack. The PoC includes Python scripts for exploiting the vulnerability and C++ source files for RPC client interactions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Exchange Server
No auth needed
Prerequisites: Network access to the target Exchange Server · NTLM relay setup
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (4)

Core 4
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1042141
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/105837

Scores

CVSS v3 7.4
EPSS 0.9176
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-03
VulnCheck KEV 2022-03-03
InTheWild.io 2022-03-03
ENISA EUVD EUVD-2018-20198
Ransomware Use Confirmed
Status published
Products (4)
microsoft/exchange_server 2010
microsoft/exchange_server 2013
microsoft/exchange_server 2016
microsoft/exchange_server 2019
Published Nov 14, 2018
KEV Added Mar 03, 2022
Tracked Since Feb 18, 2026