A public proof-of-concept exploit is now available for CVE-2026-45504, a high‑severity server-side request forgery vulnerability in Microsoft Exchange Server that enables privilege escalation via arbitrary file reads.
The flaw affects on‑premises Exchange Server 2016 and 2019, including Subscription Edition, and is addressed in Microsoft’s June 9, 2026, security updates.
CVE-2026-45504 arises from how Exchange integrates with SharePoint and WOPI when generating WAC document‑preview URLs.
In the vulnerable flow, Exchange uses helper functions such as GetTokenRequestWebResponse and GetWacUrl, which call OneDriveProUtilities.TryTwice to issue HTTP requests based on attacker‑influenced URLs and then parse an OData XML response for WebApplicationUrl, AccessToken, and AccessTokenTtl.
Because Exchange does not validate the URL scheme of the WebApplicationUrl field returned by the WOPI provider, an attacker can supply a non‑HTTP scheme that is later used as‑is to build the final WAC URL.
Exchange Privilege Escalation PoC
This missing validation converts an SSRF primitive into a powerful arbitrary-file-read issue on the Exchange server itself.
The exploit relies on a subtle URI-handling trick involving the fragment character #. If the attacker‑controlled WOPI endpoint returns a WebApplicationUrl such as file:///C:/windows/win.ini#.
Exchange then appends OAuth query parameters, forming a URL like file:///C:/windows/win.ini#&access_token=…&access_token_ttl=…&sc=…. Everything after # is treated as a fragment and ignored by the URI parser, so the effective path remains file:///C:/windows/win.ini.
As a result, Exchange issues a file:// request via FileWebRequest, reads the local file, and returns its contents to the requester via Exchange services.
By choosing sensitive paths, an attacker can exfiltrate configuration files, credential material, and other secrets that facilitate privilege escalation and further compromise.
To weaponize this behavior, an attacker needs only a low‑privileged Exchange account with a mailbox and network access to the Exchange server.
The attack typically uses Exchange Web Services by creating a ReferenceAttachment whose ProviderEndpointUrl points to an attacker‑controlled server.
When the victim opens or previews this attachment in Outlook on the web or another Exchange client, Exchange automatically invokes the WOPI token acquisition chain, sending a GetWopiTargetPropertiesByUrl request to the attacker’s endpoint.
The malicious WOPI response injects the crafted file:// WebApplicationUrl, triggering the local file read.
According to HawkTrace, a public PoC demonstrates arbitrary file reads on Exchange Server 2019, including C:\Windows\win.ini, making real-world exploitation easier.
Microsoft classifies the issue as an elevation of privilege vulnerability with a CVSS v3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), emphasizing a high impact on confidentiality, integrity, and availability when exploited over the network by a low‑privileged authenticated user.
Security updates are available for Exchange Server 2016 Cumulative Update 23, Exchange Server 2019 Cumulative Updates 14 and 15, and Exchange Server Subscription Edition RTM under KB5094144, KB5094142, KB5094140, and KB5094139, respectively.
Microsoft’s initial exploitability assessment rated exploitation as unlikely, but the release of functional exploit code increases the risk that threat actors will adopt this technique against unpatched environments.
Administrators of on‑premises Exchange deployments should urgently apply the June 9, 2026, security updates and verify that their servers match the patched build numbers referenced in Microsoft’s documentation.
Pending full patch coverage, organizations can reduce exposure by hardening access to Exchange and EWS endpoints, restricting outbound traffic from Exchange servers to untrusted hosts, and monitoring for suspicious EWS reference attachments that point to unknown external domains.
From a detection standpoint, correlating unusual WOPI/WAC token requests with outbound connections to attacker infrastructure and unexpected local file access on Exchange hosts can help identify attempts to exploit CVE-2026-45504 in the wild.
