Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Former MEP Investigating Spyware Abuses Hacked With Pegasus
July 3, 2026
Critical WatchGuard Firebox OS Flaws Let Attackers Execute Code
July 3, 2026
Critical Microsoft Exchange SSRF Vulnerability Gets Public PoC Exploit
July 3, 2026
Home/CyberSecurity News/Critical Microsoft Exchange SSRF Vulnerability Gets Public PoC Exploit
CyberSecurity News

Critical Microsoft Exchange SSRF Vulnerability Gets Public PoC Exploit

Key Takeaways A critical Server-Side Request Forgery (SSRF) vulnerability, CVE-2026-45504, has been identified in Microsoft Exchange. The flaw, rated 8.8 CVSS, allows authenticated, low-privileged...

Emy Elsamnoudy
Emy Elsamnoudy
July 3, 2026 3 Min Read
3 0

Key Takeaways

  • A critical Server-Side Request Forgery (SSRF) vulnerability, CVE-2026-45504, has been identified in Microsoft Exchange.
  • The flaw, rated 8.8 CVSS, allows authenticated, low-privileged users to read arbitrary files from on-premises Exchange servers.
  • Security researchers at HawkTrace have released a public proof-of-concept (PoC) exploit, increasing the urgency for mitigation.
  • The vulnerability stems from insufficient validation of external URLs, particularly within attachment preview and SharePoint integration features.

High-Severity SSRF Vulnerability Uncovered in Microsoft Exchange, Public PoC Released

Cybersecurity researchers at HawkTrace have brought to light a significant server-side request forgery (SSRF) vulnerability, designated CVE-2026-45504, affecting Microsoft Exchange. This flaw carries a high CVSS score of 8.8, indicating its severe potential impact.

Table Of Content

  • Key Takeaways
  • High-Severity SSRF Vulnerability Uncovered in Microsoft Exchange, Public PoC Released
  • Understanding the Vulnerability
  • Exploitation Mechanism
  • Public PoC and Urgency
  • What You Should Do

The vulnerability enables an authenticated user with minimal privileges to access and read arbitrary files stored on vulnerable Exchange servers. This poses a substantial risk for organizations utilizing on-premises Exchange deployments, given the critical role of Exchange in enterprise communication and collaboration.

Understanding the Vulnerability

Microsoft Exchange is a cornerstone for many enterprises, managing email, calendars, and collaborative functions. Any security flaw that permits unauthorized data access in such a central system can have wide-ranging consequences.

The core issue lies in how Exchange processes external URLs, particularly during attachment previews and its interactions with SharePoint services. According to the HawkTrace analysis, the vulnerability originates within the OneDriveProUtilities component, specifically within functions like TryTwice and GetWacUrl. These functions are responsible for initiating HTTP requests to retrieve Web Application Open Platform Interface (WOPI) data and access tokens necessary for document previews.

Exploitation Mechanism

The vulnerability arises because user-supplied input is passed directly into WebRequest.CreateHttp without adequate validation. The attack sequence begins when an authenticated user crafts a specialized reference attachment using Exchange Web Services (EWS). This attachment contains a ProviderEndpointUrl that points to a server controlled by the attacker.

When a victim interacts with or previews this attachment, the Exchange server makes a backend request to the attacker’s server to fetch WOPI metadata. The attacker’s server then responds with a malicious WebApplicationUrl value. Critically, instead of providing a standard HTTP or HTTPS URL, the response includes a file URI, such as file:///C:/Windows/win.ini.

While Exchange typically appends additional query parameters that would break such a file path, the researchers discovered a straightforward bypass using the fragment character (#). By returning a payload like file:///C:/Windows/win.ini#, any subsequent parameters appended by Exchange are ignored, allowing the system to correctly process the local file path.

Consequently, Exchange unwittingly executes a FileWebRequest to its local file system and returns the contents of the specified file to the attacker. This transforms the SSRF vulnerability into an arbitrary-file-read primitive, providing access to sensitive system files, including configuration data, credentials, and internal service information.

The fundamental cause is the absence of scheme validation on URLs returned from WOPI endpoints. Exchange implicitly trusts these responses and fails to restrict non-HTTP schemes like file://, which should be explicitly disallowed in this context. This trust boundary violation enables attackers to pivot from an external request to internal file system access.

Public PoC and Urgency

HawkTrace has further emphasized the severity of this issue by releasing a public proof-of-concept (PoC) exploit on GitHub. This PoC effectively demonstrates how the vulnerability can be exploited in real-world scenarios, automating the process of setting up a malicious server, authenticating to Exchange, and requesting arbitrary system files, such as the hosts file.

The disclosure underscores the persistent dangers associated with SSRF vulnerabilities in complex enterprise software. Even when authentication is a prerequisite, the combination of low-privileged access and inadequate input validation can lead to significant data exposure. The availability of detailed research and a functional exploit significantly escalates the urgency for organizations to address this vulnerability, as threat actors are likely to quickly incorporate these techniques into their attack methodologies.

What You Should Do

  • Apply all security updates provided by Microsoft for Exchange Server immediately.
  • Implement network restrictions to prevent Exchange servers from initiating outbound requests to untrusted or unknown endpoints.
  • Ensure proper validation of URL schemes within your environment, explicitly blocking non-HTTP/HTTPS protocols like file:// in contexts where they are not intended.
  • Regularly review and audit Exchange server configurations for any deviations from security best practices.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityThreatVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

North Korean Hackers Conceal JavaScript Loaders in Open Source Repos

Next Post

Critical WatchGuard Firebox OS Flaws Let Attackers Execute Code

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us