Microsoft Exchange SSRF Vulnerability Details Released Along With Public PoC Exploit

Microsoft Exchange SSRF Vulnerability Details Released Along With Public PoC Exploit










Security researchers from HawkTrace have disclosed technical details of a high-severity server-side request forgery (SSRF) vulnerability in Microsoft Exchange, tracked as CVE-2026-45504.

The flaw, which carries a CVSS score of 8.8, allows authenticated, low-privileged users to read arbitrary files from vulnerable Exchange servers, raising serious concerns for enterprises relying on on-premises deployments.

Microsoft Exchange is widely used for enterprise email, calendaring, and collaboration. Because of its central role in handling sensitive communications, vulnerabilities that allow unauthorized access to data can have a significant impact.

In this case, the issue lies in how Exchange processes external URLs during attachment previews and when integrating with SharePoint services.

According to the HawkTrace analysis, the vulnerability originates in the OneDriveProUtilities component, specifically within functions such as TryTwice and GetWacUrl.

These functions make HTTP requests to retrieve WOPI (Web Application Open Platform Interface) data and access tokens for document previews.

Exchange SSRF Flaw Gets Public PoC Exploit

The core issue is that user-controlled input is passed directly into WebRequest.CreateHttp without sufficient validation.

The attack begins when an authenticated user creates a specially crafted reference attachment using Exchange Web Services (EWS).

This attachment includes a ProviderEndpointUrl pointing to an attacker-controlled server. When the victim accesses or previews the attachment, the Exchange server initiates a backend request to the attacker’s server to retrieve WOPI metadata.

The attacker then responds with a malicious WebApplicationUrl value. Instead of returning a standard HTTP or HTTPS URL, the response includes a file URI such as file:///C:/Windows/win.ini.

Normally, additional query parameters appended by Exchange would break the file path. However, the researchers demonstrated a simple bypass using the fragment character (#).

By returning a payload like file:///C:/Windows/win.ini#, everything appended after the fragment is ignored, allowing the system to process the local file path correctly.

As a result, Exchange unknowingly performs a FileWebRequest to the local file system and returns the file contents to the attacker.

This effectively turns the SSRF vulnerability into an arbitrary-file-read primitive, enabling access to sensitive system files such as configuration data, credentials, and internal service information.

The root cause of the issue is the lack of scheme validation on URLs returned from WOPI endpoints. Exchange trusts the response and does not restrict non-HTTP schemes like file://, which should never be allowed in this context.

This trust boundary violation enables attackers to pivot from a controlled external request into internal file access.

HawkTrace has also released a public proof-of-concept (PoC) exploit on GitHub, demonstrating how the vulnerability can be exploited in real-world scenarios.

The PoC automates the process by setting up a malicious server, authenticating to Exchange, and requesting arbitrary files such as the system hosts file.

The disclosure highlights ongoing risks associated with SSRF vulnerabilities in complex enterprise software. Even when authentication is required, low-privileged access combined with improper input validation can lead to significant data exposure.

To mitigate this issue, organizations should apply security updates provided by Microsoft and restrict Exchange servers from making outbound requests to untrusted endpoints.

Proper validation of URL schemes, especially blocking file:// and similar protocols, is critical to preventing exploitation.

The release of detailed research and a working exploit increases the urgency for organizations to assess their exposure and implement patches immediately, as threat actors may quickly adopt these techniques in targeted attacks.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.

The post Microsoft Exchange SSRF Vulnerability Details Released Along With Public PoC Exploit appeared first on Cyber Security News.






Abinaya





Go to cyber-security-news