CVE-2026-45504: The 88 CVSS Exchange SSRF Vulnerability That Lets Any Low-Privilege User Steal Your Server Files – Public PoC Now Available + Video

Listen to this Post

Featured Image

Introduction:

Microsoft Exchange Server, the backbone of enterprise email and collaboration for countless organizations, is once again in the crosshairs of attackers. A high-severity server-side request forgery (SSRF) vulnerability, tracked as CVE-2026-45504 with a CVSS score of 8.8, has been publicly disclosed along with a functional proof-of-concept (PoC) exploit. What makes this flaw particularly dangerous is that it allows any authenticated, low-privileged user—think any employee with a mailbox—to read arbitrary files from vulnerable on-premises Exchange servers. This isn’t just a theoretical risk; the public availability of exploit code means the window for safe patching is rapidly closing.

Learning Objectives:

  • Understand the technical root cause of CVE-2026-45504 and how it transforms an SSRF primitive into an arbitrary file read.
  • Learn the step-by-step attack chain, from crafting a malicious reference attachment to exfiltrating sensitive system files.
  • Master practical detection, mitigation, and patching strategies to secure on-premises Exchange environments against active exploitation.

You Should Know:

  1. The Technical Root Cause: How Exchange’s Trust in WOPI Breaks Down

CVE-2026-45504 originates from how Exchange integrates with SharePoint and the Web Application Open Platform Interface (WOPI) when generating document preview URLs. In a vulnerable flow, Exchange uses helper functions like `GetTokenRequestWebResponse` and GetWacUrl, which call `OneDriveProUtilities.TryTwice` to issue HTTP requests based on attacker-influenced URLs. The core problem is that Exchange fails to validate the URL scheme of the `WebApplicationUrl` field returned by a WOPI provider. This means an attacker can supply a non-HTTP scheme like file://, which Exchange then uses as-is to build the final Web Application Companion (WAC) URL.

The exploit hinges on a subtle URI-handling trick involving the fragment character . If the attacker-controlled WOPI endpoint returns a `WebApplicationUrl` such as `file:///C:/windows/win.ini`, Exchange appends OAuth query parameters, forming a URL like `file:///C:/windows/win.ini&access_token=...&access_token_ttl=...&sc=...`. Everything after is treated as a fragment and ignored by the URI parser, so the effective path remains file:///C:/windows/win.ini. Exchange then issues a `file://` request via FileWebRequest, reads the local file, and returns its contents to the requester.

  1. The Attack Chain: From Low-Privilege Account to Full File Theft

The attack requires only a low-privileged Exchange account with a mailbox and network access to the Exchange server. Here is the step-by-step breakdown of how an attacker would weaponize this vulnerability:

  • Step 1: Establish Control – The attacker sets up a malicious server that will act as a rogue WOPI endpoint. This server is configured to respond to specific requests with crafted payloads.

  • Step 2: Craft the Attachment – Using Exchange Web Services (EWS), the attacker creates a specially crafted ReferenceAttachment. This attachment includes a `ProviderEndpointUrl` pointing to the attacker-controlled server.

  • Step 3: Trigger the Request – When a victim (or the attacker themselves) accesses or previews this attachment in Outlook on the web or another Exchange client, Exchange automatically initiates a backend request to the attacker’s server to retrieve WOPI metadata.

  • Step 4: The Malicious Response – The attacker’s server responds with a malicious `WebApplicationUrl` value, such as file:///C:/Windows/win.ini.

  • Step 5: File Read & Exfiltration – Exchange, trusting the response, makes a `FileWebRequest` to the local file system and returns the contents of the targeted file to the attacker. The PoC has demonstrated successful reads of files like `C:\Windows\win.ini` on Exchange Server 2019.

  1. Detection: How to Spot Exploitation Attempts in Your Environment

Detecting attempts to exploit CVE-2026-45504 requires monitoring several key areas. Security teams should watch for:

  • Unusual WOPI Token Requests – Monitor for `GetWopiTargetPropertiesByUrl` requests directed at unknown or untrusted external domains. These requests are part of the normal document preview flow but should originate from legitimate, known WOPI endpoints.

  • Suspicious Reference Attachments – Audit EWS activity for the creation of `ReferenceAttachment` objects with `ProviderEndpointUrl` values pointing to external or suspicious IP addresses.

  • Outbound Connections to Attacker Infrastructure – Monitor Exchange server outbound traffic for connections to unusual external hosts, especially those that occur shortly before a WOPI token request.

  • Local File Access Anomalies – Look for unexpected file system access patterns on the Exchange server, particularly reads of sensitive files like web.config, machine.config, or credential stores.

  • IIS Logs – Check IIS logs for abnormal HTTP requests to EWS endpoints that could indicate attachment creation or manipulation attempts.

4. Mitigation and Patching: Your Action Plan

Microsoft addressed CVE-2026-45504 in the June 2026 security updates. The patch adds proper scheme validation, which blocks file paths returned by WOPI providers. Administrators of on-premises Exchange deployments must act immediately. Here is the step-by-step patching and verification guide:

Step 1: Identify Affected Versions

CVE-2026-45504 affects on-premises Microsoft Exchange Server only—Exchange Online tenants are not vulnerable. The following versions are vulnerable and require patching:

| Exchange Version | Vulnerable Below Build | June 2026 Update |

||||

| Exchange Server 2016 CU23 | 15.01.2507.069 | KB5094144 |
| Exchange Server 2019 CU14 | 15.02.1544.041 | KB5094142 |
| Exchange Server 2019 CU15 | 15.02.1748.046 | KB5094140 |
| Exchange SE RTM | 15.02.2562.043 | KB5094139 |

Step 2: Apply the Security Update

Download and install the appropriate security update from the Microsoft Update Catalog or via Windows Update. Use the following PowerShell command to verify the installed build number after patching:

Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersion

Step 3: Verify Patch Success

Confirm that the build number matches or exceeds the fixed thresholds listed above. For example, Exchange Server 2019 CU15 should show version `15.02.1748.046` or higher.

Step 4: Implement Emergency Mitigations (If Patching Is Delayed)

If you cannot patch immediately, consider these temporary mitigations:

  • Restrict EWS Access – Limit Exchange Web Services access to trusted users and networks only.
  • Block Outbound Traffic – Restrict Exchange servers from making outbound connections to untrusted external hosts.
  • Network Segmentation – Implement network segmentation to limit the blast radius of compromised accounts.
  • Monitor Aggressively – Increase monitoring for the detection indicators outlined in Section 3.

5. Hands-On: Simulating the Attack (Authorized Testing Only)

For security professionals conducting authorized penetration testing, the public PoC released by HawkTrace on GitHub can be used to validate patch status. The PoC automates the process by:

  1. Setting up a malicious server that mimics a WOPI endpoint.
  2. Authenticating to the target Exchange server using low-privilege credentials.
  3. Creating a reference attachment that points to the malicious server.
  4. Triggering the file read and exfiltrating the requested file (e.g., the system hosts file).

Important: This should only be performed in controlled, authorized testing environments. Unauthorized exploitation is illegal and unethical.

What Undercode Say:

  • Key Takeaway 1: The disclosure of a public PoC for CVE-2026-45504 dramatically shifts the risk profile from “theoretical” to “imminent.” Organizations that delay patching are effectively leaving their Exchange servers wide open to any authenticated user—including potentially compromised accounts or malicious insiders.

  • Key Takeaway 2: This vulnerability is a textbook example of how seemingly minor input validation failures in complex enterprise software can cascade into critical security breaches. The combination of SSRF, lack of scheme validation, and URI parsing quirks created a perfect storm that Microsoft’s initial exploitability assessment underestimated.

The attack surface here is particularly concerning because Exchange servers typically hold a privileged position inside corporate networks, handling sensitive communications, credentials, and often serving as a gateway to other internal systems. The ability for a low-privileged user to read arbitrary files means attackers can exfiltrate configuration files containing database connection strings, application secrets, and even credential material that could facilitate lateral movement and privilege escalation across the entire organization. Furthermore, because the attack leverages legitimate Exchange functionality (document previews), it may evade traditional security controls that focus on malicious payloads rather than abuse of trusted features.

The public availability of the PoC means that threat actors—ranging from ransomware gangs to state-sponsored APT groups—will likely incorporate this technique into their toolkits within days, if not hours. The time to act is now. Patching is the primary and most effective mitigation, but organizations should also use this as an opportunity to review their broader Exchange security posture, including access controls, monitoring capabilities, and incident response procedures for email infrastructure.

Prediction:

  • +1 The rapid disclosure and public PoC will force many organizations to prioritize Exchange patching, potentially leading to improved overall security hygiene for on-premises email infrastructure.

  • -1 Expect a surge in exploitation attempts within the next 7–14 days as threat actors reverse-engineer the PoC and integrate it into automated attack frameworks, targeting unpatched Exchange servers globally.

  • -1 Organizations that fail to patch quickly may experience data breaches involving the exfiltration of sensitive configuration files, credentials, and internal system information, potentially leading to broader network compromise.

  • +1 This incident will likely drive increased adoption of Exchange Online (cloud) deployments, as organizations seek to offload the patching and security burden to Microsoft.

  • -1 The vulnerability highlights a systemic issue in how enterprise software handles external data from third-party integrations (WOPI), and similar flaws may exist in other products, potentially leading to a wave of SSRF-related disclosures in the coming months.

▶️ Related Video (66% Match):

https://www.youtube.com/watch?v=2ITe4Y0jpKo

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Cybersecuritynews Share – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky