Microsoft Exchange SSRF Vulnerability Gets Public PoC Exploit After Technical Details Released


Security researchers have published technical details and a public proof-of-concept exploit for CVE-2026-45504, a high-severity Microsoft Exchange Server vulnerability that can let an authenticated attacker read arbitrary files from a vulnerable server.

The flaw is a server-side request forgery issue in Microsoft Exchange Server. The official NVD entry lists it with a CVSS 3.1 score of 8.8 and describes it as allowing an authorized attacker to elevate privileges over a network.

Researchers at HawkTrace said the bug can be abused to read local files from the Exchange server through a chain involving Exchange Web Services reference attachments and WOPI-related URL handling.

What CVE-2026-45504 Allows

CVE-2026-45504 affects Microsoft Exchange Server, a core email and collaboration platform used by many enterprises for mailboxes, calendars, contacts, and internal communication.

The vulnerability does not give anonymous attackers direct access. Public research describes an attack path where a low-privileged authenticated Exchange user can influence server-side requests and turn that behavior into local file access.

The issue becomes more urgent because HawkTrace also released a public PoC exploit. Public exploit code can lower the barrier for testing and abuse, especially in organizations that have not applied Microsoft’s June 2026 Exchange updates.

DetailStatus
CVE IDCVE-2026-45504
Vulnerability typeServer-side request forgery
Official severityHigh, CVSS 3.1 score of 8.8
Authentication requiredYes, an authorized attacker is required
Public exploitAvailable on GitHub
Main riskArbitrary local file read from vulnerable Exchange servers

How the Exchange SSRF Flaw Becomes File Read

HawkTrace traced the flaw to URL handling in Exchange components linked to attachment previews and SharePoint-style document integration. The attack path involves OneDriveProUtilities, WOPI metadata, and the WebApplicationUrl value returned from a controlled endpoint.

The core problem is weak scheme validation. Exchange can be pushed into processing a non-HTTP URL where only safe web schemes should be accepted.

According to the HawkTrace analysis, the chain starts with a crafted EWS reference attachment. When the attachment preview flow runs, Exchange contacts an attacker-controlled endpoint and then processes a malicious file-based URL returned in the response.

Why the Fragment Trick Matters

Exchange normally appends extra parameters to the URL it builds during the preview process. That would usually break a local file path.

Researchers showed that a fragment marker can make the appended parameters irrelevant to the final file path. As a result, Exchange can end up reading a local file and returning the contents through the preview flow.

This matters because Exchange servers can store sensitive configuration files, internal service data, and other material that may help an attacker move deeper into the environment.

Microsoft Patched the Issue in June

Microsoft addressed CVE-2026-45504 in its June 9, 2026 Exchange Server security updates. One official Microsoft Support page for Exchange Server Subscription Edition RTM lists CVE-2026-45504 among the vulnerabilities covered by the update.

The affected products listed in public vulnerability data include Exchange Server 2016 CU23, Exchange Server 2019 CU14, Exchange Server 2019 CU15, and Exchange Server Subscription Edition RTM.

Organizations should verify their exact Exchange build after patching. Microsoft recommends running the Exchange Server Health Checker to confirm update status and identify additional configuration actions.

  • Patch affected Exchange servers immediately.
  • Confirm the installed Exchange build after updating.
  • Review EWS and OWA exposure for internet-facing systems.
  • Restrict outbound server requests where possible.
  • Monitor authenticated mailbox activity for unusual attachment-preview behavior.
  • Rotate secrets if file-read exposure is suspected.

Public PoC Raises Exploitation Risk

A public PoC does not prove active exploitation, but it changes the risk calculation. Attackers can study the exploit path, adapt it, and test vulnerable systems more quickly.

The GitHub repository shows how the issue can be demonstrated against a target Exchange server by setting up a controlled endpoint and requesting a local file. Security teams should avoid running exploit code on production systems unless they have authorization and a controlled test plan.

For defenders, the safer approach is to check build numbers, apply the relevant update, and examine logs for suspicious authenticated activity around attachment previews, EWS requests, and unexpected outbound connections from Exchange.

Why Authenticated Exchange Bugs Still Matter

Some administrators may treat authenticated vulnerabilities as lower priority because the attacker needs an account. That can be a mistake in Exchange environments.

Large organizations often have many mailbox users, legacy service accounts, delegated accounts, shared mailbox access paths, and stale credentials. A single low-privileged account can still create serious risk when the vulnerable server sits at a trusted identity and mail boundary.

Exchange has also been a repeated target for attackers because it holds sensitive communications and often connects to internal systems. Any bug that exposes server-side file access deserves fast remediation.

Affected Exchange Versions

Public CVE data lists affected builds across supported Exchange lines. Administrators should compare their installed build against Microsoft’s fixed build guidance, not only the product name.

Product lineAffected version range
Exchange Server 2016 CU23Versions before 15.01.2507.069
Exchange Server 2019 CU14Versions before 15.02.1544.041
Exchange Server 2019 CU15Versions before 15.02.1748.046
Exchange Server Subscription Edition RTMVersions before 15.02.2562.043

What Administrators Should Do Now

Administrators should apply the June 2026 security update that matches their Exchange branch and then verify installation results. The Microsoft update page also points admins toward Health Checker and Exchange hardening guidance after installation.

Teams should review whether Exchange can make outbound requests to untrusted endpoints. SSRF bugs become more dangerous when a server can freely contact arbitrary hosts or protocols.

After patching, administrators should run the Health Checker script, preserve relevant logs, and review recent activity from low-privileged users who created or previewed reference attachments.

Bottom Line

CVE-2026-45504 is a high-severity Exchange SSRF vulnerability with a public exploit and a demonstrated arbitrary-file-read path. It requires authentication, but that does not make it safe to ignore.

The release of technical details and public PoC code increases urgency for organizations still running vulnerable Exchange builds. Patch validation should come first, followed by log review and network egress controls around Exchange servers.

Organizations that suspect exposure should assume sensitive local files may have been accessed and investigate from that position.

FAQ

What is CVE-2026-45504?

CVE-2026-45504 is a high-severity server-side request forgery vulnerability in Microsoft Exchange Server. Public research shows it can be abused by an authenticated low-privileged user to read arbitrary local files from a vulnerable Exchange server.

Is CVE-2026-45504 unauthenticated?

No. Microsoft and NVD describe the vulnerability as requiring an authorized attacker. HawkTrace describes the file-read exploit path as reachable by a low-privileged authenticated Exchange user.

What can attackers do with CVE-2026-45504?

Public research shows that an attacker with valid low-privileged Exchange access can abuse the SSRF flaw to make the server read local files. Depending on the files exposed, this could reveal configuration data, secrets, and other sensitive information.

Is there a public PoC exploit for CVE-2026-45504?

Yes. HawkTrace released a public GitHub proof-of-concept for CVE-2026-45504 after publishing technical details of the Exchange SSRF file-read chain.

How can administrators protect Exchange servers from CVE-2026-45504?

Administrators should install Microsoft’s June 2026 Exchange security updates, verify the installed build, run Exchange Server Health Checker, review suspicious authenticated activity, and restrict Exchange servers from making unnecessary outbound requests.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages