PoC Released for Microsoft Exchange SSRF Flaw That Lets Low-Privileged Users Read Files
ID: 13ea8b4d-73c7-5b45-bc7a-b6a743af1b5b
STIX ID: report--13ea8b4d-73c7-5b45-bc7a-b6a743af1b5b
Feed Name: Cyber Press
A newly disclosed SSRF vulnerability (CVE-2026-45504) in on-premises Microsoft Exchange allows any authenticated low-privileged mailbox user to force the server to fetch arbitrary file:// resources by abusing the OneDrive/WOPI integration (functions: OneDriveProUtilities.GetWacUrl, TryTwice, GetTokenRequestWebResponse). HawkTrace published a PoC and technical analysis showing how a malicious ProviderEndpointUrl and crafted WebApplicationUrl (e.g., using a fragment to preserve file:// paths) cause Exchange to perform FileWebRequest reads and return local file contents; Microsoft advises blocking non-HTTP(S) schemes and applying a patch to validate WebApplicationUrl schemes.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
