logo

PoC Released for Microsoft Exchange SSRF Flaw That Lets Low-Privileged Users Read Files

ID: 13ea8b4d-73c7-5b45-bc7a-b6a743af1b5b

STIX ID: report--13ea8b4d-73c7-5b45-bc7a-b6a743af1b5b

Feed Name: Cyber Press

Threat Score
78/100

Date Published: 2026-07-03

Date Updated: 2026-07-03

Author: Lucas Martin

...
...

A newly disclosed SSRF vulnerability (CVE-2026-45504) in on-premises Microsoft Exchange allows any authenticated low-privileged mailbox user to force the server to fetch arbitrary file:// resources by abusing the OneDrive/WOPI integration (functions: OneDriveProUtilities.GetWacUrl, TryTwice, GetTokenRequestWebResponse). HawkTrace published a PoC and technical analysis showing how a malicious ProviderEndpointUrl and crafted WebApplicationUrl (e.g., using a fragment to preserve file:// paths) cause Exchange to perform FileWebRequest reads and return local file contents; Microsoft advises blocking non-HTTP(S) schemes and applying a patch to validate WebApplicationUrl schemes.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.