A newly released proof-of-concept exploit targets a critical server-side request forgery vulnerability, CVE-2026-45504, in Microsoft Exchange Server. This flaw allows for privilege escalation through unauthorized file reads, posing significant security risks.
Affected Systems and Vulnerability Details
The vulnerability impacts on-premises versions of Exchange Server 2016 and 2019, including the Subscription Edition. Microsoft addressed this issue in their June 9, 2026, security updates. The flaw originates from the interaction between Exchange, SharePoint, and WOPI for generating document preview URLs via WAC.
Exchange employs functions like GetTokenRequestWebResponse and GetWacUrl, which utilize OneDriveProUtilities.TryTwice to handle HTTP requests based on URLs controlled by attackers. The lack of URL scheme validation in the WebApplicationUrl field allows attackers to introduce non-HTTP schemes, facilitating the creation of malicious WAC URLs.
Exploit Mechanism and Impact
The absence of validation transforms SSRF vulnerabilities into powerful tools for unauthorized file access on the Exchange server. The exploit utilizes a URI-handling trick with the fragment character ‘#’. By returning a crafted WebApplicationUrl, such as file:///C:/windows/win.ini#, attackers can manipulate the URL to bypass URI parsers and access local files.
This technique enables attackers to extract sensitive data, including configuration files and credentials, which can lead to further system compromise. A low-privileged Exchange account with server access is sufficient for an attacker to execute this exploit, particularly using Exchange Web Services to direct requests to a malicious endpoint.
Security Measures and Recommendations
Microsoft rates this as an elevation of privilege vulnerability with a CVSS score of 8.8, indicating high risk. Security updates are available for Exchange Server 2016 Cumulative Update 23, Exchange Server 2019 Cumulative Updates 14 and 15, and Subscription Edition RTM. These updates are critical to mitigate the exploit’s impact.
Administrators should urgently apply these updates and confirm their servers match the updated build numbers. In the interim, organizations can reduce risk by securing Exchange and EWS endpoints, restricting outbound traffic, and monitoring for unusual WOPI/WAC token requests or unexpected local file access.
Although Microsoft initially assessed the exploit as unlikely, the public release of functional code increases the likelihood of attacks on unpatched systems. Vigilant monitoring for suspicious activity is essential to detect and prevent exploitation attempts in the wild.
