Exploit Released for Microsoft Exchange SSRF Flaw Enabling File Access

A public proof-of-concept exploit demonstrates how authenticated low-privileged users can exploit a Microsoft Exchange SSRF vulnerability to read arbitrary files from vulnerable servers.

CSBadmin
2 Min Read

Vulnerability Discovery and Impact

Security researchers at HawkTrace have released technical details and a proof-of-concept (PoC) exploit for a high severity server-side request forgery (SSRF) vulnerability in Microsoft Exchange, tracked as CVE-2026-45504. The flaw carries a CVSS score of 8.8 and enables authenticated users with low privileges to read arbitrary files from vulnerable Exchange servers. This vulnerability poses a serious risk to organizations that rely on on-premises Exchange deployments for email and collaboration, as it allows attackers to access sensitive system files such as configuration data and credentials.

How the Exploit Works

The vulnerability originates in the OneDriveProUtilities component, specifically within functions like TryTwice and GetWacUrl that handle HTTP requests for document previews. The core issue is a lack of input validation, as user controlled input is passed directly into WebRequest.CreateHttp. An attacker creates a specially crafted reference attachment using Exchange Web Services (EWS), setting a ProviderEndpointUrl that points to their server. When the victim interacts with the attachment, the Exchange server makes a backend request to the attacker’s server, which responds with a malicious WebApplicationUrl value containing a file URI such as file:///C:/Windows/win.ini. The researchers demonstrated a bypass using the fragment character to ensure the file path is processed correctly, turning the SSRF vulnerability into an arbitrary file read primitive.

Mitigation and Urgency

The release of a public PoC exploit increases the urgency for organizations to assess their exposure. HawkTrace has published the exploit on GitHub, demonstrating automated exploitation to request files like the system hosts file. The root cause is Exchange’s trust in WOPI endpoint responses without validating URL schemes, allowing non-HTTP protocols. Organizations should apply security updates from Microsoft and restrict Exchange servers from making outbound requests to untrusted endpoints. Proper validation of URL schemes, particularly blocking file:// protocols, is critical to prevent exploitation.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.