{"id":240360,"date":"2026-07-04T18:34:00","date_gmt":"2026-07-04T22:34:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/04\/microsoft-exchange-ssrf-vulnerability-details-released-along-with-public-poc-exploit\/"},"modified":"2026-07-04T18:40:07","modified_gmt":"2026-07-04T22:40:07","slug":"microsoft-exchange-ssrf-vulnerability-details-released-along-with-public-poc-exploit","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/04\/microsoft-exchange-ssrf-vulnerability-details-released-along-with-public-poc-exploit\/","title":{"rendered":"Microsoft Exchange SSRF Vulnerability Details Released Along With Public PoC Exploit"},"content":{"rendered":"<p><a href=\"https:\/\/cybersecuritynews.com\/exchange-ssrf-poc-exploit-released\/\">Microsoft Exchange SSRF Vulnerability Details Released Along With Public PoC Exploit<\/a><\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/exchange-ssrf-poc-exploit-released\/\">https:\/\/cybersecuritynews.com\/exchange-ssrf-poc-exploit-released\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-04 18:34:00<\/a><\/p>\n<p>Source Domain: <a href=\"cybersecuritynews.com\">cybersecuritynews.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points.<br \/>\nSecurity researchers from HawkTrace have disclosed technical details of a high-severity server-side request forgery (SSRF) vulnerability in Microsoft Exchange, tracked as CVE-2026-45504.<\/p>\n<p>The flaw, which carries a CVSS score of 8.8, allows authenticated, low-privileged users to read arbitrary files from vulnerable Exchange servers, raising serious concerns for enterprises relying on on-premises deployments.<\/p>\n<p>Microsoft Exchange is widely used for enterprise email, calendaring, and collaboration. Because of its central role in handling sensitive communications, vulnerabilities that allow unauthorized access to data can have a significant impact.<\/p>\n<p>In this case, the issue lies in how Exchange processes external URLs during attachment previews and when integrating with SharePoint services.<\/p>\n<p>According to the HawkTrace analysis, the vulnerability originates in the OneDriveProUtilities component, specifically within functions such as TryTwice and GetWacUrl.<\/p>\n<p>These functions make HTTP requests to retrieve WOPI (Web Application Open Platform Interface) data and access tokens for document previews.<\/p>\n<p>Exchange SSRF Flaw Gets Public PoC Exploit<\/p>\n<p>The core issue is that user-controlled input is passed directly into WebRequest.CreateHttp without sufficient validation.<\/p>\n<p>The attack begins when an authenticated user creates a specially crafted reference attachment using Exchange Web Services (EWS).<\/p>\n<p>This attachment includes a ProviderEndpointUrl pointing to an attacker-controlled server. When the victim accesses or previews the attachment, the Exchange server initiates a backend request to the attacker\u2019s server to retrieve WOPI metadata.<\/p>\n<p>The attacker then responds with a malicious WebApplicationUrl value. Instead of returning a standard HTTP or HTTPS URL, the response includes a file URI such as file:\/\/\/C:\/Windows\/win.ini.<\/p>\n<p>Normally, additional query parameters appended by Exchange would break the file path. However, the researchers demonstrated a simple bypass using the fragment character (#).<\/p>\n<p>By returning a payload like file:\/\/\/C:\/Windows\/win.ini#, everything appended after the fragment is ignored, allowing the system to process the local file path correctly.<\/p>\n<p>As a result, Exchange unknowingly performs a FileWebRequest to the local file system and returns the file contents to the attacker.<\/p>\n<p>This effectively turns the SSRF vulnerability into an arbitrary-file-read primitive, enabling access to sensitive system files such as configuration data, credentials, and internal service information.<\/p>\n<p>The root cause of the issue is the lack of scheme validation on URLs returned from WOPI endpoints. Exchange trusts the response and does not restrict non-HTTP schemes like file:\/\/, which should never be allowed in this context.<\/p>\n<p>This trust boundary violation enables attackers to pivot from a controlled external request into internal file access.<\/p>\n<p>HawkTrace has also released a public proof-of-concept (PoC) exploit on GitHub, demonstrating how the vulnerability can be exploited in real-world scenarios.<\/p>\n<p>The PoC automates the process by setting up a malicious server, authenticating to Exchange, and requesting arbitrary files such as the system hosts file.<\/p>\n<p>The disclosure highlights ongoing risks associated with SSRF vulnerabilities in complex enterprise software. Even when authentication is required, low-privileged access combined with improper input validation can lead to significant data exposure.<\/p>\n<p>To mitigate this issue, organizations should apply security updates provided by Microsoft and restrict Exchange servers from making outbound requests to untrusted endpoints.<\/p>\n<p>Proper validation of URL schemes, especially blocking file:\/\/ and similar protocols, is critical to preventing exploitation.<\/p>\n<p>The release of detailed research and a working exploit increases the urgency for organizations to assess their exposure and implement patches immediately, as threat actors may quickly adopt these techniques in targeted attacks.<\/p>\n<p>\u00a0Strengthen Your SOC by Accelerating Threat Detection &#038; Rapid Investigations.\u00a0-> Integrate ANY.RUN With Your SOC Now.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft Exchange SSRF Vulnerability Details Released Along With Public PoC Exploit https:\/\/cybersecuritynews.com\/exchange-ssrf-poc-exploit-released\/ Publish Date: 2026-07-04&#8230;<\/p>\n","protected":false},"author":1,"featured_media":240361,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"http:\/\/cybersecuritynews.com\/wp-content\/uploads\/2026\/07\/Microsoft-Exchange-SSRF-Vulnerability-Details-Released-Along-With-Public-PoC-Exploit.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[31,27],"class_list":["post-240360","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/240360"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=240360"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/240360\/revisions"}],"predecessor-version":[{"id":240362,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/240360\/revisions\/240362"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/240361"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=240360"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=240360"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=240360"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}