Critical SSRF Vulnerability in Microsoft Exchange Exposes Sensitive Files

Security researchers have disclosed a high-severity server-side request forgery (SSRF) vulnerability in Microsoft Exchange, identified as CVE-2026-45504. This flaw, with a CVSS score of 8.8, enables authenticated, low-privileged users to read arbitrary files from vulnerable Exchange servers, posing significant risks to enterprises utilizing on-premises deployments.

Microsoft Exchange serves as a cornerstone for enterprise email, calendaring, and collaboration. Its central role in managing sensitive communications makes any vulnerability that permits unauthorized data access particularly concerning. In this instance, the issue arises from how Exchange processes external URLs during attachment previews and its integration with SharePoint services.

Technical Details of the Vulnerability

The vulnerability resides in the OneDriveProUtilities component, specifically within functions like TryTwice and GetWacUrl. These functions are responsible for making HTTP requests to retrieve Web Application Open Platform Interface (WOPI) data and access tokens necessary for document previews. The core problem is that user-controlled input is passed directly into WebRequest.CreateHttp without adequate validation.

Exploitation begins when an authenticated user creates a specially crafted reference attachment using Exchange Web Services (EWS). This attachment includes a ProviderEndpointUrl pointing to an attacker-controlled server. When a victim accesses or previews the attachment, the Exchange server initiates a backend request to the attacker’s server to retrieve WOPI metadata. The attacker then responds with a malicious WebApplicationUrl value, such as file:///C:/Windows/win.ini#.

By appending the fragment character (#), the attacker ensures that any additional query parameters appended by Exchange are ignored, allowing the system to process the local file path correctly. Consequently, Exchange unknowingly performs a FileWebRequest to the local file system and returns the file contents to the attacker. This effectively transforms the SSRF vulnerability into an arbitrary-file-read primitive, granting access to sensitive system files like configuration data, credentials, and internal service information.

Proof-of-Concept Exploit Released

Researchers have released a public proof-of-concept (PoC) exploit demonstrating how this vulnerability can be exploited in real-world scenarios. The PoC automates the process by setting up a malicious server, authenticating to Exchange, and requesting arbitrary files such as the system hosts file.

This disclosure underscores the persistent risks associated with SSRF vulnerabilities in complex enterprise software. Even when authentication is required, the lack of proper input validation can lead to significant security breaches. Organizations utilizing Microsoft Exchange should prioritize applying the latest security patches and review their systems for potential exploitation of this vulnerability.

Given the critical nature of this flaw, it’s imperative for enterprises to stay vigilant and ensure their Exchange servers are updated promptly. This incident serves as a stark reminder of the importance of rigorous input validation and the need for continuous monitoring of enterprise software for emerging vulnerabilities.