HighPublic exploit

SSRF and arbitrary file read privilege escalation in Microsoft Exchange Server

IdentifiersCVE-2026-45504CWE-918· Server-Side Request Forgery (SSRF)

CVE-2026-45504 is a high-severity server-side request forgery vulnerability in on-premises Microsoft Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition. The vulnerable flow is tied to Exchange’s handling of SharePoint/WOPI document-preview URLs. Exchange helper functions involved in the preview/token acquisition chain, including GetTokenRequestWebResponse and GetWacUrl, ultimately issue requests based on attacker-influenced URL data obtained from a WOPI/OData response. Exchange parses fields including WebApplicationUrl, AccessToken, and AccessTokenTtl, but does not properly validate the URL scheme of the returned WebApplicationUrl. An attacker-controlled WOPI provider can therefore return a malicious non-HTTP URL such as a file:// URI. By using a fragment character (#), the attacker can neutralize appended OAuth query parameters, causing Exchange to process a path such as file:///C:/Windows/win.ini# and issue a FileWebRequest against the local filesystem. This turns the SSRF primitive into arbitrary local file read on the Exchange server and can be leveraged for elevation of privilege through Exchange services.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated low-privilege attacker to coerce Exchange into reading arbitrary local files from the server and returning their contents through Exchange services. This can expose configuration files, credential material, and other sensitive secrets, enabling impersonation of other users, access to restricted information, and actions with elevated privileges. Microsoft’s published CVSS v3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates high impact to confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting access to Exchange services to trusted users and networks only, closely monitoring Exchange Web Services and document-preview/WOPI-related activity for anomalous reference attachments or outbound requests to attacker-controlled endpoints, and limiting or disabling unneeded preview/integration paths where operationally feasible. Because exploitation requires authenticated access and attacker-controlled WOPI interaction, enforcing least privilege for Exchange accounts and rapidly investigating suspicious mailbox or EWS activity may reduce risk. Specific vendor-provided mitigations beyond patching were not provided in the content.

Remediation

Patch, then assume compromise.

Apply Microsoft’s June 9, 2026 security updates for affected on-premises Exchange deployments. The content indicates fixes are available for Exchange Server 2016 Cumulative Update 23, Exchange Server 2019 Cumulative Updates 14 and 15, and Exchange Server Subscription Edition RTM. Refer to the Microsoft updates associated with KB5094144, KB5094142, KB5094140, and KB5094139, and validate that all affected Exchange servers are fully patched.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app

CVE-2026-45504MaturityPoCVerified exploit

Repository contains a single Python exploit script and a short README with usage example. The script targets Microsoft Exchange and implements an authenticated SSRF-to-local-file-read chain for CVE-2026-45504. It accepts target URL, attacker callback IP/port, credentials, password, and an arbitrary target file path. Execution flow: (1) start a local HTTP server to answer Exchange callback requests with crafted XML containing a file:/// URI to the desired local file; (2) authenticate to OWA via /owa/auth.owa and obtain an OWA canary token; (3) use NTLM-authenticated EWS SOAP requests to /ews/exchange.asmx to create a draft message and then attach a malicious ReferenceAttachment using ProviderType OneDrivePro with attacker-controlled ProviderEndpointUrl/AttachLongPathName; (4) call /owa/service.svc?action=GetAttachmentPreview&id=... to trigger preview generation and return the file contents; (5) print the retrieved bytes to stdout. The exploit is operational rather than a mere PoC because it automates the full chain and returns file contents, but it does not provide a generalized framework or customizable post-exploitation payload beyond arbitrary file read.

hawktraceDisclosed Jun 24, 2026pythonmarkdownnetworkweb

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationExchange Serverapplication

Microsoft CorporationExchange Server 2016application

Microsoft CorporationExchange Server 2019application

Microsoft CorporationExchange Server Seapplication

Microsoft CorporationExchange Server Subscription Editionapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

cyber security newsNews

Jun 24, 2026

PoC Exploit Released for Microsoft Exchange Server Elevation of Privilege Vulnerability

A high-severity Microsoft Exchange Server vulnerability in which insufficient validation of attacker-influenced WOPI/WebApplicationUrl values enables SSRF that can be turned into arbitrary local file reads, leading to privilege escalation and broader compromise.

cvefeed high severityNews

Jun 9, 2026

CVE-2026-45504 - Microsoft Exchange Server Elevation of Privilege Vulnerability

A server-side request forgery vulnerability in Microsoft Exchange Server that allows an authorized attacker to elevate privileges over a network.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity8

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-45504

NVD

nvd.nist.gov/vuln/detail/CVE-2026-45504

MITRE CWE · CWE-918

Server-Side Request Forgery (SSRF)

Vendor Advisory

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45504