A proof-of-concept (PoC) exploit has been publicly released for a high-severity server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server, identified as CVE-2026-45504. This flaw enables attackers to escalate privileges by reading arbitrary files on the server.
The vulnerability affects on-premises versions of Exchange Server 2016 and 2019, including the Subscription Edition. Microsoft addressed this issue in their June 9, 2026, security updates.
The root cause of CVE-2026-45504 lies in how Exchange integrates with SharePoint and the Web Application Open Platform Interface (WOPI) when generating document preview URLs. Specifically, Exchange utilizes functions like GetTokenRequestWebResponse and GetWacUrl, which call OneDriveProUtilities.TryTwice to issue HTTP requests based on attacker-controlled URLs. These functions then parse an OData XML response for fields such as WebApplicationUrl, AccessToken, and AccessTokenTtl.
A critical oversight in this process is the lack of validation for the URL scheme of the WebApplicationUrl field returned by the WOPI provider. This omission allows an attacker to supply a non-HTTP scheme, which Exchange then uses to construct the final Web Application Companion (WAC) URL.
Exploitation Details
This missing validation transforms an SSRF vulnerability into a potent arbitrary file read issue on the Exchange server. The exploit leverages a subtle URI-handling technique involving the fragment character (#). By crafting a WOPI endpoint that returns a WebApplicationUrl such as file:///C:/windows/win.ini#, Exchange appends OAuth query parameters, resulting in a URL like file:///C:/windows/win.ini#&access_token=…&access_token_ttl=…&sc=….
Due to the fragment character (#), everything following it is treated as a fragment and ignored by the URI parser. Consequently, the effective path remains file:///C:/windows/win.ini. Exchange then issues a file:// request via FileWebRequest, reads the local file, and returns its contents to the requester through Exchange services.
By targeting sensitive file paths, an attacker can exfiltrate configuration files, credential materials, and other secrets, facilitating privilege escalation and further system compromise.
Attack Prerequisites
To execute this attack, an adversary requires only a low-privileged Exchange account with a mailbox and network access to the Exchange server. The typical attack vector involves using Exchange Web Services (EWS) to create a ReferenceAttachment with a ProviderEndpointUrl pointing to an attacker-controlled server.
When a victim opens or previews this attachment in Outlook on the web or another Exchange client, Exchange automatically initiates the WOPI token acquisition process, sending a GetWopiTargetPropertiesByUrl request to the attacker’s server. The malicious WOPI response injects the crafted file:// WebApplicationUrl, triggering the local file read.
Security researchers have demonstrated the exploit’s effectiveness on Exchange Server 2019, successfully reading files like C:\Windows\win.ini, thereby simplifying real-world exploitation.
Microsoft has classified this issue as an elevation of privilege vulnerability with a CVSS v3.1 score of 8.8, indicating a high impact on confidentiality, integrity, and availability. The vulnerability can be exploited over the network by a low-privileged authenticated user.
Security updates addressing this flaw are available for Exchange Server 2016 Cumulative Update 23, Exchange Server 2019 Cumulative Updates 14 and 15, and Exchange Server Subscription Edition RTM under KB5094144, KB5094142, KB5094140, and KB5094139, respectively.
The release of a public PoC exploit for CVE-2026-45504 underscores the critical need for organizations to promptly apply Microsoft’s security updates. Delaying these patches leaves systems vulnerable to attacks that can lead to significant data breaches and system compromises. Administrators should prioritize updating their Exchange servers to mitigate this risk effectively.
