Microsoft Exchange SSRF Vulnerability (CVE-2026-45504) Exposes Sensitive Files
Security researchers at HawkTrace have uncovered a high-severity server-side request forgery (SSRF) vulnerability in Microsoft Exchange, tracked as CVE-2026-45504 (CVSS score: 8.8). The flaw allows authenticated, low-privileged users to read arbitrary files from vulnerable on-premises Exchange servers, posing significant risks to enterprise environments.
The vulnerability stems from improper input validation in Exchange’s OneDriveProUtilities component, specifically within functions like TryTwice and GetWacUrl, which handle WOPI (Web Application Open Platform Interface) requests for document previews. When processing user-controlled input, Exchange fails to validate URL schemes, enabling attackers to manipulate backend requests.
Exploitation Mechanism
An attacker can exploit the flaw by:
- Creating a malicious reference attachment via Exchange Web Services (EWS), pointing to an attacker-controlled server.
- Tricking a victim into previewing the attachment, triggering Exchange to request WOPI metadata from the attacker’s server.
- Responding with a file:// URI (e.g.,
file:///C:/Windows/win.ini#) a technique that bypasses path restrictions by using a fragment character (#) to ignore appended parameters. - Gaining arbitrary file read access, allowing extraction of sensitive system files, including configurations, credentials, and internal service data.
Root Cause & Impact
The core issue is a trust boundary violation Exchange blindly accepts non-HTTP schemes (e.g., file://) from WOPI endpoints without validation. This flaw effectively converts an SSRF vulnerability into an arbitrary file read primitive, exposing critical enterprise data.
HawkTrace has released a public proof-of-concept (PoC) exploit on GitHub, demonstrating real-world exploitation by retrieving files like the system hosts file. The disclosure underscores the risks of SSRF in complex enterprise software, even when authentication is required.
Mitigation & Response
Microsoft has issued security updates to address the vulnerability. Organizations are advised to:
- Apply patches immediately to prevent exploitation.
- Restrict outbound requests from Exchange servers to untrusted endpoints.
- Enforce strict URL scheme validation, blocking dangerous protocols like
file://.
The release of detailed research and a working exploit increases the likelihood of threat actor adoption, heightening the urgency for affected organizations to secure their deployments.
Source: https://cybersecuritynews.com/exchange-ssrf-poc-exploit-released/
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-security-response-center
"id": "mic1783067043",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "7/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Enterprises using on-premises '
'Microsoft Exchange servers',
'industry': 'Technology/Enterprise Software',
'location': 'Global',
'name': 'Microsoft Exchange',
'type': 'Software'}],
'attack_vector': 'Malicious reference attachment via Exchange Web Services '
'(EWS)',
'data_breach': {'file_types_exposed': ['Configuration files', 'System files'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'System files, configurations, '
'credentials, internal service '
'data'},
'description': 'Security researchers at HawkTrace have uncovered a '
'high-severity server-side request forgery (SSRF) '
'vulnerability in Microsoft Exchange, tracked as '
'CVE-2026-45504 (CVSS score: 8.8). The flaw allows '
'authenticated, low-privileged users to read arbitrary files '
'from vulnerable on-premises Exchange servers, posing '
'significant risks to enterprise environments. The '
'vulnerability stems from improper input validation in '
'Exchange’s OneDriveProUtilities component, enabling attackers '
'to manipulate backend requests and gain arbitrary file read '
'access.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'data exposure',
'data_compromised': 'Sensitive system files, configurations, '
'credentials, and internal service data',
'operational_impact': 'Potential exposure of critical enterprise '
'data',
'systems_affected': 'Microsoft Exchange on-premises servers'},
'lessons_learned': 'The incident underscores the risks of SSRF in complex '
'enterprise software, even when authentication is '
'required. Proper input validation and trust boundary '
'enforcement are critical to preventing such '
'vulnerabilities.',
'post_incident_analysis': {'corrective_actions': 'Microsoft issued security '
'updates to address the '
'vulnerability. '
'Organizations are advised '
'to patch systems, restrict '
'outbound requests, and '
'enforce URL scheme '
'validation.',
'root_causes': 'Improper input validation in '
'Exchange’s OneDriveProUtilities '
'component, specifically in '
'functions handling WOPI requests, '
'leading to a trust boundary '
'violation where non-HTTP schemes '
'(e.g., file://) were accepted '
'without validation.'},
'recommendations': ['Apply Microsoft security updates immediately',
'Restrict outbound requests from Exchange servers to '
'untrusted endpoints',
'Enforce strict URL scheme validation to block dangerous '
'protocols like file://'],
'references': [{'source': 'HawkTrace Research',
'url': 'https://github.com/HawkTrace/CVE-2026-45504-PoC'}],
'response': {'containment_measures': 'Apply Microsoft security updates, '
'restrict outbound requests from '
'Exchange servers to untrusted '
'endpoints, enforce strict URL scheme '
'validation',
'remediation_measures': 'Patch vulnerable systems immediately'},
'title': 'Microsoft Exchange SSRF Vulnerability (CVE-2026-45504) Exposes '
'Sensitive Files',
'type': 'SSRF (Server-Side Request Forgery)',
'vulnerability_exploited': 'CVE-2026-45504'}