PoC Released for Microsoft Exchange SSRF Flaw That Lets Low-Privileged Users Read Files
A newly disclosed server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server 2019, tracked as CVE-2026-45504, allows any authenticated, low-privileged user to read arbitrary files f

A newly disclosed server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server 2019, tracked as CVE-2026-45504, allows any authenticated, low-privileged user to read arbitrary files from the server without additional authorization. Security researcher Batuhan Er of the HawkTrace team published the technical breakdown along with a working proof-of-concept (PoC), assigning the flaw a CVSS score […] The post PoC Released for Microsoft Exchange SSRF Flaw That Lets Low-Privileged Users Read Files appeared first on Cyber Security News.
A newly disclosed server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server 2019, tracked as CVE-2026-45504, allows any authenticated, low-privileged user to read arbitrary files from the server without additional authorization. Security researcher Batuhan Er of the HawkTrace team published the technical breakdown along with a working proof-of-concept (PoC), assigning the flaw a CVSS score of 8.8. The vulnerability, an SSRF-driven file-read issue, affects on-premises deployments of Exchange, Microsoft’s server-based messaging platform used to manage email, calendars, contacts, and tasks through clients such as Outlook. PoC Released for Microsoft Exchange SSRF Flaw The root cause lies in Exchange’s OneDrive and WOPI (Web Application Open Platform Interface) integration, specifically within OneDriveProUtilities.GetWacUrl and its supporting helper functions, TryTwice and GetTokenRequestWebResponse. These methods handle token retrieval for opening Office documents via SharePoint’s WOPI API, but they fail to validate the scheme of the WebApplicationUrl returned by a WOPI provider before using it to build a follow-up request. The TryTwice function passes a URL directly into WebRequest.CreateHttp(url), meaning any address supplied by an attacker-controlled endpoint gets requested without restriction, while GetTokenRequestWebResponse transforms that URL into a SharePoint REST API call. An attacker can exploit this chain by creating an EWS ReferenceAttachment with a ProviderEndpointUrl pointing to an attacker-controlled server. When a victim opens the attachment preview, Exchange sends a request to that server. The attacker’s server then responds with a crafted WebApplicationUrl, such as file:///C:/windows/win.ini#. Because Exchange appends OAuth parameters, namely access_token, access_token_ttl, and sc, directly to this URL, a plain file path would normally break the syntax and prevent the file from resolving correctly. The # fragment character solves this problem for the attacker, since everything appearing after it is treated as a URI fragment and discarded by the parser, leaving Exchange to fetch the file at file:///C:/windows/win.ini via FileWebRequest and return its contents in the response. HawkTrace stated that exploitation path traces cleanly through Exchange’s OWA server core, beginning with GetWacAttachmentInfo.ExecuteAsync, which initiates attachment processing, and moving, which handles the reference attachment logic. From there, OneDriveProUtilities.GetWacUrl, in both its internal and wrapper forms, constructs the vulnerable request, while GetTokenRequestWebResponse and TryTwice execute the SSRF call and parse the malicious XML response for the WebApplicationUrl, AccessToken, and AccessTokenTtl fields. Because this entire chain is reachable through standard EWS calls used to create an attachment, no elevated privileges beyond a valid mailbox account are required to trigger it. Mitigation CVE-2026-45504 lets attackers exfiltrate sensitive local files, including configuration files, credentials, or other data stored on the Exchange server, purely through crafted attachment metadata and a malicious WOPI response. Microsoft’s permanent fix requires strict scheme validation on WebApplicationUrl values returned by WOPI providers, explicitly blocking file:// and other non-HTTP(S) schemes before they reach WebClient.OpenRead(). Until patches are applied, administrators should audit their WOPI and OneDrive integration settings and monitor for anomalous requests. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. The post PoC Released for Microsoft Exchange SSRF Flaw That Lets Low-Privileged Users Read Files appeared first on Cyber Security News.
Join the Discussion
Comments coming soon. Follow us on social media for real-time discussions.


