PoC Exploit Released for Microsoft Exchange Server Elevation of Privilege Vulnerability
A public proof-of-concept exploit is now available for CVE-2026-45504, an SSRF flaw in Exchange Server 2016 and 2019 that lets authenticated attackers read arbitrary files.
A proof-of-concept (PoC) exploit has been publicly released for CVE-2026-45504, a high-severity server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server that allows authenticated low-privileged users to read arbitrary files on the server. The flaw affects on-premises Exchange Server 2016 and 2019, including Subscription Edition, and was patched in Microsoft's June 9, 2026 security updates. With the exploit available, the risk of real-world attacks increases significantly for organizations that have not yet applied the updates.
The vulnerability lies in how Exchange integrates with SharePoint and the WOPI (Web Application Open Platform Interface) protocol when generating document preview URLs for Outlook on the web. In the vulnerable flow, Exchange calls helper functions such as GetTokenRequestWebResponse and GetWacUrl, which issue HTTP requests to a WOPI provider based on URLs influenced by the attacker. Exchange then parses the OData XML response for fields like WebApplicationUrl, AccessToken, and AccessTokenTtl. Because Exchange does not validate the URL scheme of the WebApplicationUrl field, an attacker can supply a non-HTTP scheme such as file:// that Exchange later uses as-is to build the final URL for the document preview.
The exploit exploits a subtle URI handling trick involving the fragment character #. If the attacker-controlled WOPI endpoint returns a WebApplicationUrl such as file:///C:/windows/win.ini#, Exchange appends OAuth query parameters to form a URL like file:///C:/windows/win.ini#&access_token=...&.... Everything after # is treated as a fragment and ignored by the URI parser, so the effective path remains file:///C:/windows/win.ini. Exchange then uses FileWebRequest to read the local file and returns its contents to the attacker via Exchange services. By targeting sensitive paths, an attacker can exfiltrate configuration files, credential material, and other secrets that facilitate privilege escalation and further compromise.
The attack is weaponized by an authenticated low-privileged Exchange user with a mailbox and network access. The attacker creates a ReferenceAttachment via Exchange Web Services that points to an attacker-controlled server. When a victim opens or previews the attachment in Outlook on the web, Exchange automatically invokes the WOPI token acquisition chain, sending a request to the attacker's endpoint. The malicious WOPI response injects the crafted file:// URL, triggering the local file read. According to HawkTrace, the public PoC demonstrates arbitrary file reads on Exchange Server 2019, including reading C:\Windows\win.ini.
Microsoft classifies CVE-2026-45504 as an elevation of privilege vulnerability with a CVSS v3.1 score of 8.8, emphasizing high impact on confidentiality, integrity, and availability. The bug is exploitable over the network by an authenticated low-privileged user. Security updates are available for Exchange Server 2016 Cumulative Update 23, Exchange Server 2019 Cumulative Updates 14 and 15, and Exchange Server Subscription Edition RTM under KB5094144, KB5094142, KB5094140, and KB5094139. Microsoft initially rated exploitation as unlikely, but the release of operational exploit code changes the threat landscape.
Administrators are urged to apply the June 9, 2026 security updates immediately. Pending full patch coverage, mitigating steps include hardening access to Exchange and EWS endpoints, restricting outbound traffic from Exchange servers to untrusted hosts, and monitoring for suspicious EWS reference attachments pointing to unknown external domains. Detection can be enhanced by correlating unusual WOPI/WAC token requests with outbound connections and unexpected local file access on Exchange hosts.
This vulnerability is the latest in a series of Exchange bugs that attackers have aggressively targeted. Microsoft's own exchange server breaches have historically been some of the most impactful in enterprise environments. The release of a public PoC means that even unsophisticated actors can launch file-reading attacks, making patching a top priority for any organization running on-premises Exchange.