HighPublic exploit

SSRF and Arbitrary File Read Privilege Escalation in Microsoft Exchange Server

IdentifiersCVE-2026-45504CWE-918· Server-Side Request Forgery (SSRF)

CVE-2026-45504 is a high-severity server-side request forgery vulnerability in on-premises Microsoft Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition. The vulnerable flow is in Exchange’s handling of SharePoint/WOPI document-preview URLs. Exchange helper functions involved in the preview/token acquisition chain, including GetTokenRequestWebResponse and GetWacUrl, ultimately issue requests based on attacker-influenced URL data obtained from a WOPI/OData response. Exchange parses fields including WebApplicationUrl, AccessToken, and AccessTokenTtl, but does not properly validate the URL scheme of the returned WebApplicationUrl. An attacker-controlled WOPI provider can therefore return a malicious non-HTTP URL, including a file:// URL. By using a crafted value such as file:///C:/windows/win.ini# and abusing URI fragment handling so appended OAuth parameters are ignored, Exchange can be induced to issue a FileWebRequest against a local path on the Exchange server and return the file contents through Exchange services. Microsoft classifies the issue as an elevation of privilege vulnerability because the SSRF primitive can be used to impersonate another user, access restricted information, and perform actions with elevated privileges.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated low-privilege attacker to turn the SSRF into arbitrary local file reads on the Exchange server, exposing sensitive files such as configuration data, credential material, and other secrets. Based on Microsoft’s advisory and the provided analysis, exploitation can also enable impersonation of other users, access to restricted information, and execution of actions with elevated privileges through Exchange services. The published CVSS v3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H indicates high impact to confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting access to Exchange services to trusted users and networks, restricting or monitoring Exchange Web Services usage, and closely inspecting document preview and WOPI-related traffic for attacker-controlled ProviderEndpointUrl or anomalous file://-style WebApplicationUrl values. Monitor for suspicious reference attachments and unexpected local file access behavior originating from Exchange preview workflows. However, no vendor mitigation was provided in the supplied content; patching is the primary corrective action.

Remediation

Patch, then assume compromise.

Apply Microsoft’s June 9, 2026 security updates for CVE-2026-45504 on all affected on-premises Exchange deployments. The provided content states fixes are available for Exchange Server 2016 Cumulative Update 23, Exchange Server 2019 Cumulative Updates 14 and 15, and Exchange Server Subscription Edition RTM, with relevant KB updates including KB5094144, KB5094142, KB5094140, and KB5094139. Prioritize internet-exposed and untrusted-user-accessible Exchange environments, especially given the availability of public proof-of-concept exploit code.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app

CVE-2026-45504MaturityPoCVerified exploit

Repository contains a single Python exploit script and a short README with usage example. The script targets Microsoft Exchange and implements an authenticated SSRF-to-local-file-read chain for CVE-2026-45504. It accepts target URL, attacker callback IP/port, credentials, password, and an arbitrary target file path. Execution flow: (1) start a local HTTP server to answer Exchange callback requests with crafted XML containing a file:/// URI to the desired local file; (2) authenticate to OWA via /owa/auth.owa and obtain an OWA canary token; (3) use NTLM-authenticated EWS SOAP requests to /ews/exchange.asmx to create a draft message and then attach a malicious ReferenceAttachment using ProviderType OneDrivePro with attacker-controlled ProviderEndpointUrl/AttachLongPathName; (4) call /owa/service.svc?action=GetAttachmentPreview&id=... to trigger preview generation and return the file contents; (5) print the retrieved bytes to stdout. The exploit is operational rather than a mere PoC because it automates the full chain and returns file contents, but it does not provide a generalized framework or customizable post-exploitation payload beyond arbitrary file read.

hawktraceDisclosed Jun 24, 2026pythonmarkdownnetworkweb

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationExchange Serverapplication

Microsoft CorporationExchange Server 2016application

Microsoft CorporationExchange Server 2019application

Microsoft CorporationExchange Server Seapplication

Microsoft CorporationExchange Server Subscription Editionapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app

cyber security newsNews

Jun 24, 2026

PoC Exploit Released for Microsoft Exchange Server Elevation of Privilege Vulnerability

A high-severity Microsoft Exchange Server vulnerability in which insufficient validation of attacker-influenced WOPI/WebApplicationUrl values enables SSRF that can be turned into arbitrary local file reads, leading to privilege escalation and broader compromise.

cvefeed high severityNews

Jun 9, 2026

CVE-2026-45504 - Microsoft Exchange Server Elevation of Privilege Vulnerability

A server-side request forgery vulnerability in Microsoft Exchange Server that allows an authorized attacker to elevate privileges over a network.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity12

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-45504

NVD

nvd.nist.gov/vuln/detail/CVE-2026-45504

MITRE CWE · CWE-918

Server-Side Request Forgery (SSRF)

Vendor Advisory

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45504