Why does the CAB file extraction in the Exchange Help Updater lead to arbitrary file write?

The `ExtractToTemp()` method in `Microsoft.Exchange.Management.dll` calls `EmbeddedCabWrapper.ExtractCabFiles()` without validating file paths inside the CAB archive. An attacker can include filenames with `../` sequences (e.g., `../../../../../inetpub/wwwroot/aspnet_client/poc.aspx`) to escape the extraction target directory and write files to arbitrary locations. This directory traversal flaw is the root cause of CVE-2021-31196. For comparison, other Exchange vulnerabilities like CVE-2021-34523 also involve improper input validation.