PoC Exploit Released for Microsoft Exchange Server Elevation of Privilege Vulnerability

A public proof-of-concept exploit has been released for CVE-2026-45504, a high-severity Microsoft Exchange Server vulnerability that can let an authenticated attacker elevate privileges over the network. Microsoft fixed the flaw in its June 9, 2026 Exchange Server security updates.

The vulnerability affects on-premises Exchange Server deployments. The Microsoft Security Update Guide classifies CVE-2026-45504 as an elevation of privilege issue and rates it with a CVSS v3.1 score of 8.8.

The risk increased after HawkTrace published technical details showing how the bug can be used to read arbitrary local files from an Exchange server. The company also linked the issue to Exchange’s handling of WOPI and WAC document preview flows.

What CVE-2026-45504 does

CVE-2026-45504 is a server-side request forgery vulnerability. The NVD entry says the flaw allows an authorized attacker to elevate privileges over a network and tracks the weakness as CWE-918.

In practical terms, the bug lets a low-privileged Exchange user influence a server-side request. HawkTrace says the vulnerable path can make Exchange read local files after it processes a malicious WOPI response during attachment preview handling.

This matters because Exchange servers often sit close to sensitive mailboxes, identity data, certificates, configuration files, and internal services. Even a file-read primitive can help attackers collect secrets that support deeper compromise.

Item	Details
CVE	CVE-2026-45504
Product	Microsoft Exchange Server
Vulnerability type	Server-side request forgery leading to elevation of privilege
CVSS score	8.8, high severity
Privileges required	Low-privileged authenticated Exchange account
Patch date	June 9, 2026

How the public PoC changes the risk

Before public technical details appeared, administrators could treat the flaw as part of the normal June Exchange patch cycle. The publication of a PoC changes that calculation because attackers now have a clearer path to reproduce the issue in exposed or unpatched environments.

The HawkTrace research describes a file-read path involving Exchange’s WAC URL generation logic. The analysis says Exchange fails to properly validate the URL scheme returned by a WOPI provider before building the final document preview URL.

The proof-of-concept demonstrates reading files such as Windows configuration files from an Exchange Server 2019 system. Security teams should treat the release as a reason to accelerate patch validation, not as a reason to test exploit code on production systems.

• The attacker needs a valid low-privileged Exchange mailbox account.
• The attack abuses server-side request handling in Exchange.
• The researcher-reported impact includes arbitrary local file reads.
• File reads can expose configuration data, secrets, or other sensitive material.
• Unpatched on-premises Exchange servers face the highest risk.

Which Exchange versions received updates

Microsoft released security updates for Exchange Server 2016 CU23, Exchange Server 2019 CU14, Exchange Server 2019 CU15, and Exchange Server Subscription Edition RTM. The Exchange Server 2019 CU15 update lists CVE-2026-45504 among the vulnerabilities fixed in the June 9 package.

The same update page also warns that Exchange Server 2016 and Exchange Server 2019 have reached end of support. Microsoft says organizations enrolled in the Extended Security Update program can receive later security updates, while others should migrate to Exchange Server Subscription Edition.

Tenable’s June Exchange plugin also lists CVE-2026-45504 among the vulnerabilities addressed by KB5094139, KB5094140, KB5094142, and KB5094144. It notes that scanners may rely on the Exchange server’s self-reported version number to determine exposure.

Exchange version	June 2026 update
Exchange Server Subscription Edition RTM	KB5094139
Exchange Server 2019 CU15	KB5094140
Exchange Server 2019 CU14	KB5094142
Exchange Server 2016 CU23	KB5094144

Why administrators should patch quickly

Exchange has a long history of becoming a high-value target after public vulnerability details appear. Even when a flaw requires authentication, attackers can combine it with stolen credentials, password spraying, exposed accounts, or another vulnerability.

The Microsoft advisory lists the attack vector as network-based and the required privileges as low. That combination makes the issue important for any organization that still runs on-premises Exchange.

Administrators should also run Microsoft’s Exchange Health Checker after installing updates. The Microsoft support page recommends using the tool to verify that the installation succeeded and to check whether additional actions are needed.

Detection and mitigation steps

The priority is to install the June 2026 Exchange Server security updates and confirm build numbers across all Exchange servers. Organizations should not assume a single patched front-end server protects the whole environment.

Security teams should review logs for unusual Exchange Web Services activity, suspicious reference attachments, outbound requests from Exchange servers to unknown hosts, and unexpected local file access patterns. Network controls should also restrict Exchange servers from reaching untrusted external destinations wherever possible.

The Tenable detection guidance reinforces the need to confirm patch status across the Exchange fleet. The NVD record confirms the high-impact CVSS vector, including high confidentiality, integrity, and availability impact.

• Apply KB5094139, KB5094140, KB5094142, or KB5094144 where applicable.
• Confirm Exchange build numbers after installation.
• Run Exchange Health Checker after patching.
• Limit EWS and OWA access to trusted networks where possible.
• Restrict outbound traffic from Exchange servers to untrusted hosts.
• Monitor for suspicious WOPI, WAC, and reference attachment activity.
• Review low-privileged mailbox accounts for unusual attachment actions.
• Check whether Exchange 2016 or 2019 servers need ESU coverage or migration.

What this means for Exchange environments

The public PoC does not automatically mean mass exploitation has begun. However, it lowers the technical barrier for attackers and gives defenders less time to patch before scanning and weaponization attempts increase.

Organizations running Exchange Server should treat CVE-2026-45504 as an urgent operational issue. The highest priority goes to internet-facing servers, hybrid deployments, and environments with large numbers of mailbox users or weak account hygiene.

Microsoft has already released fixes, and the researcher details are now public. That leaves administrators with a narrow but clear response path: patch, verify, harden access, and watch for suspicious Exchange request patterns.

FAQ