Vulnerability Discovery and Impact
Security researchers at HawkTrace have released technical details and a proof-of-concept (PoC) exploit for a high severity server-side request forgery (SSRF) vulnerability in Microsoft Exchange, tracked as CVE-2026-45504. The flaw carries a CVSS score of 8.8 and enables authenticated users with low privileges to read arbitrary files from vulnerable Exchange servers. This vulnerability poses a serious risk to organizations that rely on on-premises Exchange deployments for email and collaboration, as it allows attackers to access sensitive system files such as configuration data and credentials.
How the Exploit Works
The vulnerability originates in the OneDriveProUtilities component, specifically within functions like TryTwice and GetWacUrl that handle HTTP requests for document previews. The core issue is a lack of input validation, as user controlled input is passed directly into WebRequest.CreateHttp. An attacker creates a specially crafted reference attachment using Exchange Web Services (EWS), setting a ProviderEndpointUrl that points to their server. When the victim interacts with the attachment, the Exchange server makes a backend request to the attacker’s server, which responds with a malicious WebApplicationUrl value containing a file URI such as file:///C:/Windows/win.ini. The researchers demonstrated a bypass using the fragment character to ensure the file path is processed correctly, turning the SSRF vulnerability into an arbitrary file read primitive.
Mitigation and Urgency
The release of a public PoC exploit increases the urgency for organizations to assess their exposure. HawkTrace has published the exploit on GitHub, demonstrating automated exploitation to request files like the system hosts file. The root cause is Exchange’s trust in WOPI endpoint responses without validating URL schemes, allowing non-HTTP protocols. Organizations should apply security updates from Microsoft and restrict Exchange servers from making outbound requests to untrusted endpoints. Proper validation of URL schemes, particularly blocking file:// protocols, is critical to prevent exploitation.
Source: Cyber Security News
