{"id":14053,"date":"2026-07-03T10:03:37","date_gmt":"2026-07-03T10:03:37","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/03\/microsoft-exchange-ssrf-vulnerability-details-released-along-with-public-poc-exploit\/"},"modified":"2026-07-03T10:03:37","modified_gmt":"2026-07-03T10:03:37","slug":"microsoft-exchange-ssrf-vulnerability-details-released-along-with-public-poc-exploit","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/03\/microsoft-exchange-ssrf-vulnerability-details-released-along-with-public-poc-exploit\/","title":{"rendered":"Microsoft Exchange SSRF Vulnerability Details Released Along With Public PoC Exploit"},"content":{"rendered":"<p>    Microsoft Exchange SSRF Vulnerability Details Released Along With Public PoC Exploit<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">Security researchers from HawkTrace have disclosed technical details of a high-severity server-side request forgery (SSRF) vulnerability in Microsoft Exchange, <a href=\"https:\/\/cybersecuritynews.com\/poc-exploit-released-exchange-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">tracked as CVE-2026-45504<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">The flaw, which carries a CVSS score of 8.8, allows authenticated, low-privileged users to read arbitrary files from vulnerable Exchange servers, raising serious concerns for enterprises relying on on-premises deployments.<\/p>\n<p class=\"wp-block-paragraph\">Microsoft Exchange is widely used for enterprise email, calendaring, and collaboration. Because of its central role in handling sensitive communications, vulnerabilities that allow unauthorized access to data can have a significant impact.<\/p>\n<p class=\"wp-block-paragraph\">In this case, the issue lies in how Exchange processes external URLs during attachment previews and when integrating with SharePoint services.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/hawktrace.com\/blog\/CVE-2026-45504\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">According to the HawkTrace analysis<\/a>, the vulnerability originates in the OneDriveProUtilities component, specifically within functions such as TryTwice and GetWacUrl.<\/p>\n<p class=\"wp-block-paragraph\">These functions make HTTP requests to retrieve <a href=\"https:\/\/cybersecuritynews.com\/web-application-api-attacks-are-rising\/\" target=\"_blank\" rel=\"noreferrer noopener\">WOPI (Web Application Open Platform Interface)<\/a> data and access tokens for document previews.<\/p>\n<h2 id=\"h-exchange-ssrf-flaw-gets-public-poc-exploit\" class=\"wp-block-heading\"><strong>Exchange SSRF Flaw Gets Public PoC Exploit<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The core issue is that user-controlled input is passed directly into WebRequest.CreateHttp without sufficient validation.<\/p>\n<p class=\"wp-block-paragraph\">The attack begins when an authenticated user creates a specially crafted reference attachment using <a href=\"https:\/\/cybersecuritynews.com\/secure-default-exchange-and-teams\/\" target=\"_blank\" rel=\"noreferrer noopener\">Exchange Web Services (EWS)<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">This attachment includes a ProviderEndpointUrl pointing to an attacker-controlled server. When the victim accesses or previews the attachment, the Exchange server initiates a backend request to the attacker\u2019s server to retrieve WOPI metadata.<\/p>\n<p class=\"wp-block-paragraph\">The attacker then responds with a malicious WebApplicationUrl value. Instead of returning a standard HTTP or HTTPS URL, the response includes a file URI such as file:\/\/\/C:\/Windows\/win.ini.<\/p>\n<p class=\"wp-block-paragraph\">Normally, additional query parameters appended by Exchange would break the file path. However, the researchers demonstrated a simple bypass using the fragment character (#).<\/p>\n<p class=\"wp-block-paragraph\">By returning a payload like file:\/\/\/C:\/Windows\/win.ini#, everything appended after the fragment is ignored, allowing the system to process the local file path correctly.<\/p>\n<p class=\"wp-block-paragraph\">As a result, Exchange unknowingly performs a FileWebRequest to the local file system and returns the file contents to the attacker.<\/p>\n<p class=\"wp-block-paragraph\">This effectively turns the SSRF vulnerability into an arbitrary-file-read primitive, enabling access to sensitive system files such as configuration data, credentials, and internal service information.<\/p>\n<p class=\"wp-block-paragraph\">The root cause of the issue is the lack of scheme validation on URLs returned from WOPI endpoints. Exchange trusts the response and does not restrict non-HTTP schemes like file:\/\/, which should never be allowed in this context.<\/p>\n<p class=\"wp-block-paragraph\">This trust boundary violation enables attackers to pivot from a controlled external request into internal file access.<\/p>\n<p class=\"wp-block-paragraph\">HawkTrace has also released a public <a href=\"https:\/\/github.com\/hawktrace\/CVE-2026-45504\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">proof-of-concept (PoC) exploit on GitHub<\/a>, demonstrating how the vulnerability can be exploited in real-world scenarios.<\/p>\n<p class=\"wp-block-paragraph\">The PoC automates the process by setting up a malicious server, authenticating to Exchange, and requesting arbitrary files such as the system hosts file.<\/p>\n<p class=\"wp-block-paragraph\">The disclosure highlights ongoing risks associated with<a href=\"https:\/\/cybersecuritynews.com\/xerox-freeflow-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\"> SSRF vulnerabilities<\/a> in complex enterprise software. Even when authentication is required, low-privileged access combined with improper input validation can lead to significant data exposure.<\/p>\n<p class=\"wp-block-paragraph\">To mitigate this issue, organizations should apply security updates provided by Microsoft and restrict Exchange servers from making outbound requests to untrusted endpoints.<\/p>\n<p class=\"wp-block-paragraph\">Proper validation of URL schemes, especially blocking file:\/\/ and similar protocols, is critical to preventing exploitation.<\/p>\n<p class=\"wp-block-paragraph\">The release of detailed research and a working exploit increases the urgency for organizations to assess their exposure and implement patches immediately, as threat actors may quickly adopt these techniques in targeted attacks.<\/p>\n<p class=\"has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\"><strong>\u00a0Strengthen Your SOC by Accelerating Threat Detection &amp; Rapid Investigations.\u00a0-&gt; <a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Integrate ANY.RUN With Your SOC <\/a><strong><a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Now<\/a><\/strong>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/exchange-ssrf-poc-exploit-released\/\">Microsoft Exchange SSRF Vulnerability Details Released Along With Public PoC Exploit<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/exchange-ssrf-poc-exploit-released\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft Exchange SSRF Vulnerability Details Released Along With Public PoC Exploit Security researchers from HawkTrace have disclosed technical details of a high-severity server-side request forgery (SSRF) vulnerability in Microsoft Exchange, tracked as CVE-2026-45504. The flaw, which carries a CVSS score of 8.8, allows authenticated, low-privileged users to read arbitrary files from vulnerable Exchange servers, raising [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,158,131,648],"tags":[130],"class_list":["post-14053","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-microsoft","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14053"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14053"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14053\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14053"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14053"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14053"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}