CVE-2026-45504 Exchange SSRF Risk Explained
Hoplon InfoSec
24 Jun, 2026
CVE-2026-45504 Microsoft Exchange SSRF Vulnerability Explained
Content Summary
CVE-2026-45504 is a Microsoft Exchange Server SSRF vulnerability that can allow an authenticated low-privileged attacker to elevate privileges over a network. NVD classifies it as CWE-918 Server-Side Request Forgery and lists the CVSS v3.1 vector as AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
The issue matters because Exchange is not just another application. It often sits at the center of enterprise email, identity workflows, mailbox access, document previews, and internal trust relationships.
Microsoft addressed the vulnerability through its June 9, 2026 Exchange Server security updates, including updates for Exchange Server 2016 CU23, Exchange Server 2019 CU14/CU15, and Exchange Server Subscription Edition RTM.
A public proof-of-concept has been reported in the provided brief, but I could not confirm a trusted public PoC source from official Microsoft or NVD pages while checking the references. For safe publishing, describe it as “reported public PoC availability” unless you verify the PoC source before publication.
Quick Facts Table
| Field | Details |
|---|---|
| CVE ID | CVE-2026-45504 |
| Product | Microsoft Exchange Server |
| Vulnerability Type | Server-Side Request Forgery, SSRF |
| CWE | CWE-918 |
| Severity | High |
| CVSS Score | 8.8 |
| CVSS Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Attack Requirement | Low-privileged authenticated Exchange account |
| User Interaction | None according to CVSS vector |
| Attack Vector | Network |
| Main Impact | Privilege escalation, possible sensitive data exposure, possible local file read paths |
| Affected Deployment | On-premises Exchange Server 2016, 2019, Subscription Edition |
| Patch Release Date | June 9, 2026 |
| Public PoC Status | Reported, verify before publishing as confirmed |
| Primary Fix | Apply Microsoft June 2026 Exchange security updates |
Why CVE-2026-45504 Matters
CVE-2026-45504 matters because Exchange Server usually has a privileged position inside a company network. It handles email, authentication-related workflows, mailbox access, web services, document preview features, and sometimes hybrid Microsoft 365 connections.
This is not described as an unauthenticated remote code execution bug. That is important. But it is still serious because the attacker only needs low privileges, and many real-world breaches begin with one stolen mailbox account.
A low-privileged mailbox may not sound dangerous at first. In practice, it can become dangerous when the server processes attacker-controlled data on behalf of that user.
That is the heart of SSRF. The attacker does not directly reach the internal target. Instead, they convince the trusted server to make the request.
For defenders, the biggest concern is not only the vulnerability itself. The bigger concern is the position Exchange holds inside the network.
Once Exchange is abused, attackers may be able to reach places they could not reach from the public internet. This is why vulnerability management, attack surface management, and strong email security and anti-phishing controls matter around Exchange.
Background: Exchange, SharePoint, WOPI, and WAC Preview Flow
To understand CVE-2026-45504, you need to understand the document preview flow.
When a user previews an attachment in Outlook on the web or another Exchange-related client, Exchange may need to prepare a browser-friendly preview. That preview can involve integrations with document services such as SharePoint, OneDrive, WOPI providers, and Office Web Apps style preview systems.
WOPI stands for Web Application Open Platform Interface. It is a Microsoft protocol used to let web applications view and edit files stored in another system.
WAC usually refers to the web application companion style preview flow used to generate a URL that the client can use to view a document.
In a normal flow, Exchange does not simply show a file by itself. It identifies the attachment, talks to the relevant provider, receives preview metadata, and builds a final preview URL.
Normal Document Preview Flow
A user opens or previews an attachment.
Exchange identifies the attachment provider.
Exchange contacts the WOPI endpoint.
Exchange requests target properties.
The WOPI provider returns preview metadata.
The response includes values such as WebApplicationUrl, AccessToken, and AccessTokenTtl.
Exchange builds the final WAC preview URL.
The client receives the preview URL.
That flow is normal. The risk appears when attacker-influenced data is trusted too much.
Root Cause: Missing WebApplicationUrl Scheme Validation
The root cause described in the provided technical brief is missing validation of the URL scheme in the WebApplicationUrl field.
In simple words, Exchange expects the preview URL to point to a safe web destination, usually using http or https. The dangerous case appears when a malicious or attacker-controlled provider returns a different scheme, such as file.
A safe application should reject unsafe schemes before building the final preview URL.
The risky pattern looks like this at a concept level:
Exchange contacts a provider endpoint.
The provider returns preview metadata.
Exchange parses the response.
Exchange uses the WebApplicationUrl value to build the final preview URL.
If the URL scheme is not properly validated, the server may process something it should never process as a preview URL.
This is why SSRF bugs are often more subtle than simple input validation bugs. The server is not just accepting text. It is using that text to make a request or build a trusted workflow.
Technical Attack Flow
This section explains the attack chain in a defensive way. It is not an exploit guide.
An attacker first needs a valid low-privileged Exchange mailbox account. That account could come from phishing, credential stuffing, password reuse, a weak password, or an already compromised user.
The attacker then abuses an Exchange attachment-related flow where a linked attachment or ReferenceAttachment can point Exchange toward a provider endpoint.
If the provider endpoint is attacker-controlled, the attacker can influence the metadata returned to Exchange.
The dangerous field is WebApplicationUrl. If that field contains an unsafe scheme and Exchange does not reject it, the preview flow can be turned into a server-side request path.
At that point, Exchange may act as the requester. That is what makes SSRF powerful.
The attacker is no longer only limited by what their own machine can reach. They may be able to abuse what the Exchange server can reach.
In reported technical analysis, the concern is that the flow can move beyond normal SSRF and toward local file read behavior if unsafe URI handling is reached. The exact impact can depend on service permissions, file ACLs, hardening, and environment configuration.
Technical Mechanics Table
| Component | Role in Vulnerability | Security Gap |
|---|---|---|
| ReferenceAttachment | External or linked attachment object | Attacker may influence provider endpoint |
| ProviderEndpointUrl | WOPI provider endpoint location | May point to an attacker-controlled server |
| GetTokenRequestWebResponse | Fetches token or properties response | May trust response source too much |
| GetWacUrl | Builds final preview URL | Should enforce safe URL schemes |
| OneDriveProUtilities.TryTwice | Request retry helper flow | Can fetch attacker-influenced response data |
| OData XML Response | Carries preview metadata | Can contain malicious preview values |
| WebApplicationUrl | Final document preview base URL | Unsafe scheme may not be blocked |
| Fragment Character | URI parsing behavior | Can affect how appended query data is interpreted |
| FileWebRequest | Handles file scheme behavior in some .NET contexts | May create local file read risk if reached |
Affected Versions and Patch Mapping
Microsoft support pages confirm June 9, 2026 Exchange security updates for supported affected builds. The affected product set includes Exchange Server 2016 CU23, Exchange Server 2019 CU14/CU15, and Exchange Server Subscription Edition RTM.
| Exchange Version | Affected Build or Channel | Security Update | Action |
|---|---|---|---|
| Exchange Server 2016 | CU23 | KB5094144 | Apply June 9, 2026 security update |
| Exchange Server 2019 | CU14 | KB5094142 | Apply June 9, 2026 security update |
| Exchange Server 2019 | CU15 | KB5094140 | Apply June 9, 2026 security update |
| Exchange Server Subscription Edition | RTM | KB5094139 | Apply June 9, 2026 security update |
CVSS and Risk Breakdown
NVD lists CVE-2026-45504 with a CVSS v3.1 score of 8.8 High and the vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
| CVSS Metric | Meaning | Practical Reading |
|---|---|---|
| AV:N | Network attack vector | The attack can be performed over a network |
| AC:L | Low attack complexity | No highly complex condition is required |
| PR:L | Low privileges required | A basic authenticated account is enough |
| UI:N | No user interaction | No user action is required in CVSS scoring |
| S:U | Scope unchanged | Impact stays within the same security authority |
| C:H | High confidentiality impact | Sensitive data exposure is possible |
| I:H | High integrity impact | Trust or permissions may be affected |
| A:H | High availability impact | Service impact is possible |
This is not the same as a pre-auth RCE vulnerability. But it should not be treated as low risk.
The danger comes from the combination of low privilege, network reachability, Exchange’s trusted role, and possible sensitive data exposure.
What an Attacker Could Read
If the vulnerability is abused in a way that reaches local file access, the most concerning targets would be files that help the attacker understand or deepen the compromise.
Possible sensitive targets include:
Exchange configuration files
Application configuration files
Web.config style files
Service credentials or connection strings
Certificate-related material
Local system information
Internal path discovery data
Logs containing tokens or usernames
Files that help lateral movement or privilege escalation
The same result will not happen in every environment. Permission context, Exchange service rights, file ACLs, OS hardening, and server configuration all affect real impact.
Real-World Exploitation Requirements
A successful attack is not magic. Several conditions usually need to line up.
The attacker needs a valid Exchange account.
The Exchange server must be vulnerable and unpatched.
The relevant WOPI or WAC preview flow must be reachable.
The attacker must be able to influence a provider endpoint or linked attachment workflow.
The Exchange server must be able to make outbound requests to the attacker-controlled host.
Security tools must fail to block or detect the unusual behavior.
That last point is where many organizations struggle. Exchange outbound traffic is often treated as normal background noise.
This is why defenders should monitor outbound requests from Exchange servers, not only inbound attacks against Exchange.
Public PoC Risk Analysis
Public PoC availability should be treated as a risk multiplier, not as proof of active compromise.
When exploit code becomes public, the technical barrier drops. Researchers can reproduce behavior faster. Red teams can validate exposure. Threat actors can also test vulnerable systems faster.
Microsoft and NVD confirm the vulnerability, CVSS vector, and CWE classification, but the official pages do not provide detailed exploit mechanics.
That means defenders should avoid two mistakes.
The first mistake is panic. A reported PoC does not automatically mean every Exchange server is compromised.
The second mistake is waiting. Once a working PoC exists in public or semi-public channels, scanning and adaptation can move quickly.
The safe position is simple: patch first, verify second, hunt third.
Indicators and Detection Opportunities
Network Indicators
Monitor Exchange servers for outbound requests to unknown external domains.
Look for Exchange server HTTP or HTTPS requests that happen around attachment preview activity.
Review DNS and proxy logs for rare domains contacted only by Exchange.
Investigate outbound traffic from Exchange to destinations unrelated to Microsoft, SharePoint, OneDrive, trusted document services, or approved business integrations.
Exchange and EWS Indicators
Watch for suspicious ReferenceAttachment creation.
Review ProviderEndpointUrl values that point to unknown external domains.
Look for unusual EWS operations involving attachment metadata.
Monitor requests involving document preview or WOPI target property retrieval.
Correlate attachment preview activity with outbound network requests.
Host Indicators
Monitor unexpected local file access by Exchange worker processes.
Look for access to simple test files such as win.ini, because attackers often use harmless-looking files to test arbitrary file read behavior.
Review access to Exchange configuration files.
Compare file read timestamps with WOPI or WAC preview activity.
Use EDR and Sysmon telemetry where possible.
SIEM Correlation Idea
A useful detection chain may look like this:
Suspicious ReferenceAttachment activity
plus
ProviderEndpointUrl pointing to a rare external host
plus
Outbound request from Exchange to that host
plus
WOPI or WAC preview event
plus
Local file read by an Exchange process
within a short time window
This kind of correlation is more useful than looking for one single indicator.
Defensive Detection Table
| Signal | Why It Matters | Data Source | Priority |
|---|---|---|---|
| Unknown ProviderEndpointUrl | Possible malicious WOPI endpoint | Exchange or EWS logs | High |
| Outbound Exchange request to rare domain | Possible SSRF behavior | Proxy, firewall, DNS logs | High |
| GetWopiTargetPropertiesByUrl spike | Possible preview abuse | Exchange logs | Medium |
| Unsafe URI scheme pattern | Indicates validation bypass attempt | Application telemetry | Critical |
| Local file read by Exchange process | Possible arbitrary file read | EDR or Sysmon | Critical |
| win.ini read from Exchange process | Common test target | EDR or Sysmon | High |
| ReferenceAttachment from new user | Possible staging activity | Mailbox audit logs | Medium |
Immediate Mitigation Checklist
Patch
Apply Microsoft June 9, 2026 Exchange security updates.
Verify every Exchange server build number.
Confirm no server was missed behind a load balancer.
Patch passive DAG nodes too.
Reboot and validate service health.
Exposure Reduction
Restrict public access to EWS where possible.
Limit Exchange outbound traffic to trusted destinations.
Place Exchange egress behind a proxy allowlist.
Block unnecessary outbound protocols where enforceable.
Review attachment preview policies if your environment allows it.
Account Security
Review low-privileged mailbox activity.
Enforce MFA where applicable.
Disable unused mailboxes.
Review suspicious mailbox rules.
Audit delegated mailbox access.
Monitoring
Enable detailed Exchange logging.
Collect EWS logs centrally.
Enable DNS and proxy logging for Exchange hosts.
Monitor Exchange process file access.
Create SIEM rules for suspicious WOPI and WAC behavior.
Incident Response
Search for unusual ProviderEndpointUrl values.
Hunt for win.ini and sensitive config file reads.
Review outbound connections from Exchange since before the patch date.
Rotate credentials if sensitive file read is suspected.
Preserve logs before cleanup.
Patch Verification Guide
Installing a patch is not the end of the job.
Exchange admins should verify the installed KB, Exchange build number, service health, DAG status, OWA, ECP, EWS, and mail flow.
| Verification Item | Command or Method | Expected Result |
|---|---|---|
| Installed update | Control Panel, PowerShell, or inventory tool | Correct KB visible |
| Exchange build | Exchange Management Shell | Build matches Microsoft patched version |
| Server health | Exchange Health Checker | No critical patch warning |
| Service status | Get-Service or Exchange tools | Required Exchange services running |
| Mail flow | Internal and external test mail | Successful delivery |
| OWA and ECP | Browser test | Login and admin pages work |
| EWS | Application or script test | Expected response from EWS |
| DAG nodes | Exchange admin tools | All nodes patched and healthy |
Incident Response Playbook
Phase 1: Triage
Identify all Exchange servers.
Confirm patch status.
Check internet exposure.
Review EWS and OWA access logs.
Look for suspicious ReferenceAttachment activity.
Phase 2: Hunt
Search outbound proxy and DNS logs from Exchange servers.
Look for rare external domains.
Review WOPI and WAC related activity.
Check EDR events for unusual file reads.
Search for PoC style test file access.
Phase 3: Containment
Block malicious domains and IPs.
Restrict Exchange outbound access.
Disable suspicious accounts.
Revoke active sessions if needed.
Apply patches immediately.
Phase 4: Eradication
Remove malicious attachments.
Reset affected account credentials.
Rotate credentials that may have been exposed.
Review Exchange configuration secrets.
Validate no persistence remains.
Phase 5: Recovery
Restore normal access gradually.
Monitor for repeated attempts.
Update SIEM rules.
Document patch evidence.
Run a post-incident review.
Organizations that do not have an internal response team should prepare an incident response recovery process before Exchange vulnerabilities become an emergency.
Common Mistakes Admins Should Avoid
Only patching the internet-facing Exchange server and forgetting internal nodes.
Assuming authenticated vulnerabilities are low risk.
Ignoring outbound traffic from Exchange.
Not checking ReferenceAttachment abuse.
Treating a win.ini read as harmless.
Failing to rotate credentials after suspected file exposure.
Relying only on initial exploitability ratings after a reported PoC.
Not validating build numbers after installing the KB.
Leaving EWS broadly exposed without monitoring.
Not collecting logs before cleanup.
Comparison With Previous Exchange Vulnerabilities
Exchange has a long history of vulnerabilities becoming more dangerous after public analysis. CVE-2026-45504 should be understood in that wider pattern.
| Vulnerability | Type | Auth Required | Main Impact | Defensive Lesson |
|---|---|---|---|---|
| ProxyShell | Pre-auth chain | Often no auth | Remote code execution | Patch quickly and reduce exposure |
| ProxyNotShell | SSRF/RCE chain | Context dependent | Code execution risk | Layered mitigations matter |
| CVE-2026-42897 | OWA spoofing/XSS | User interaction conditions | Browser-context impact | OWA hardening matters |
| CVE-2026-45504 | SSRF via WOPI/WAC | Low privilege auth | Privilege escalation and possible file read | Outbound control and preview flow monitoring matter |
Secure Architecture Recommendations
Exchange servers should not have unrestricted outbound internet access.
Use an egress proxy with an allowlist.
Separate Exchange from sensitive internal resources.
Centralize Exchange, IIS, EWS, proxy, DNS, and EDR logs.
Create a patch management SLA for Exchange.
Keep an emergency Exchange patch runbook.
Test Exchange updates in a lab before production rollout.
Keep offline backups.
Reduce dependency on legacy on-prem exposure where possible.
Review your external-facing footprint with online threat exposure monitoring and cyber threat intelligence.
Recommended Hardening Checklist
Restrict EWS exposure.
Use conditional access where possible.
Enforce MFA for admin and user accounts.
Disable legacy authentication.
Review OAuth and integration settings.
Limit outbound access from Exchange servers.
Monitor WOPI, WAC, and attachment preview flows.
Run Exchange Health Checker regularly.
Apply security updates within a defined SLA.
Audit mailbox permissions and forwarding rules.
Keep offline backups.
Document server inventory and patch ownership.
For deeper validation, combine web application security testing, penetration testing, and extended detection response XDR.
FAQ
What is CVE-2026-45504?
CVE-2026-45504 is a Microsoft Exchange Server SSRF vulnerability that can allow an authenticated attacker with low privileges to elevate privileges over a network.
Is CVE-2026-45504 remotely exploitable?
Yes. The CVSS vector lists the attack vector as network. The attacker still needs low privileges.
Does the attacker need authentication?
Yes. The CVSS vector lists PR:L, which means low privileges are required.
Is user interaction required?
The CVSS vector lists UI:N, meaning no user interaction is required in the CVSS scoring context.
What is the CVSS score?
The CVSS v3.1 score is 8.8 High.
What is the root cause?
The root cause is described as missing validation of the WebApplicationUrl scheme inside the Exchange WOPI/WAC preview URL generation flow, based on the provided technical brief.
Why does file scheme handling matter?
If a server accepts an unsafe local file scheme inside a trusted preview flow, it may create a path toward local file access. This depends on implementation behavior, service permissions, and file ACLs.
Which Exchange versions are affected?
The affected versions include Exchange Server 2016 CU23, Exchange Server 2019 CU14, Exchange Server 2019 CU15, and Exchange Server Subscription Edition RTM, based on the June 2026 Exchange update coverage.
How should admins fix it?
Apply the relevant Microsoft June 9, 2026 Exchange security update, verify build numbers, restrict outbound access, and monitor suspicious WOPI, WAC, and EWS activity.
Should organizations wait for confirmed exploitation?
No. Exchange is high-value infrastructure. Reported PoC availability should raise patch priority, even if confirmed in-the-wild exploitation is not yet publicly proven.
-20260624155509.webp "Final Action Plan")
Key Takeaways
CVE-2026-45504 is a high-severity Microsoft Exchange SSRF vulnerability.
It requires low privileges, but that still fits many real-world attack scenarios.
The most important defensive action is to patch every affected Exchange server.
Outbound monitoring from Exchange servers is just as important as inbound monitoring.
A reported public PoC should be treated as a risk multiplier.
Patch verification and post-patch hunting should both be part of the response.
Was this article helpful?
React to this post and see the live totals.
Share this :