FIX: Mailboxes can be accessed if the DefaultNetworkCredentials option is selected when you use EWS Managed API to connect to Exchange Server - Microsoft Support

Support

Sign in

Sign in with Microsoft

Sign in or create an account.

Hello,

Select a different account.

You have multiple accounts

Choose the account you want to sign in with.

Applies To

Exchange Server 2013 Enterprise Edition Exchange Server 2013 Standard Edition

Symptoms

You use Exchange Web Services (EWS) Managed API to connect to a coexistence environment of Microsoft Exchange Server 2013 and Microsoft Exchange Server 2010. If you have the DefaultNetworkCredentials option selected, you can access others people's mailboxes and read the message content in those mailboxes.

Cause

This issue occurs when the initial token in the SOAP envelope is ignored during EWS proxy. In this situation, the token is not processed by using permission checking.

Resolution

To fix this issue, install Update Rollup 12 for Exchange Server 2010 Service Pack 3.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References

Learn about the terminology that Microsoft uses to describe software updates.

Email

SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders