Microsoft Exchange SSRF Vulnerability Details Released Along With Public PoC Exploit
Microsoft Exchange SSRF Vulnerability Details Released Along With Public PoC Exploit
https://cybersecuritynews.com/exchange-ssrf-poc-exploit-released/
Publish Date: 2026-07-04 15:30:00
Source Domain: cybersecuritynews.com
Security researchers from HawkTrace have disclosed technical details of a high-severity server-side request forgery (SSRF) vulnerability in Microsoft Exchange, tracked as CVE-2026-45504.
The flaw, which carries a CVSS score of 8.8, allows authenticated, low-privileged users to read arbitrary files from vulnerable Exchange servers, raising serious concerns for enterprises relying on on-premises deployments.
Microsoft Exchange is widely used for enterprise email, calendaring, and collaboration. Because of its central role in handling sensitive communications, vulnerabilities that allow unauthorized access to data can have a significant impact.
In this case, the issue lies in how Exchange processes external URLs during attachment previews and when integrating with SharePoint services.
According to the HawkTrace analysis, the vulnerability originates in the OneDriveProUtilities component, specifically within functions such as TryTwice and GetWacUrl.
These functions make HTTP requests to retrieve WOPI (Web Application Open Platform Interface) data and access tokens for document previews.
Exchange SSRF Flaw Gets Public PoC Exploit
The core issue is that user-controlled input is passed directly into WebRequest.CreateHttp without sufficient validation.
The attack begins when an authenticated user creates a specially crafted reference attachment using Exchange Web Services (EWS).
This attachment includes a ProviderEndpointUrl pointing to an attacker-controlled server. When the victim accesses or previews the attachment, the Exchange server initiates a backend request to the attacker’s server to retrieve WOPI metadata.
The attacker then responds with a malicious WebApplicationUrl value. Instead of returning a standard HTTP or HTTPS URL, the response includes a file URI such as file:///C:/Windows/win.ini.
Normally, additional query parameters appended by Exchange would break the file path. However, the researchers demonstrated a simple…