- CVE: CVE-2026-45504
- CVSS: 8.8 (High · CVSSv3)
- Product: Microsoft Exchange Server 2016 Cumulative Update 23
- Affected: 15.01.0.0, 15.02.0.0
- Impact: Microsoft Exchange Server Elevation of Privilege Vulnerability
- Status: No confirmed exploitation yet
- Patched in: 15.01.2507.069, 15.02.1544.041, 15.02.1748.046, 15.02.2562.043
- EPSS: 0.5% (30-day)
- Action: Update to 15.01.2507.069, 15.02.1544.041, 15.02.1748.046, 15.02.2562.043 now
TL;DR
Researchers at HawkTrace published full technical details and proof-of-concept code for a Microsoft Exchange vulnerability tracked as CVE-2026-45504. The flaw lets a low-privileged user read arbitrary files from an Exchange server. Microsoft patched it during the June 2026 update cycle, so admins should apply the fix now.
Why It Matters
Exchange servers hold sensitive mail and credentials. Therefore, any file-read bug carries real risk. This Microsoft Exchange vulnerability scores 8.8 on the CVSS scale. Attackers only need a low-privilege account with a mailbox. From there, they can pull configuration files, secrets, and other server data. Because the exploit code is now public, the window for safe patching is shrinking fast.
How the Attack Works
The bug lives in how Exchange builds document-preview URLs through SharePoint and WOPI. Exchange trusts the WebApplicationUrl value that a WOPI provider returns. However, it never checks the URL scheme. An attacker first creates a reference attachment that points Exchange at a server they control. When the preview loads, Exchange calls out to that server. The server then replies with a local file path instead of an HTTP address. As a result, Exchange reads the file and returns its contents to the attacker.
The HawkTrace technical write-up walks through the full request chain. Meanwhile, the proof-of-concept released on GitHub demonstrates the read against a test host.
🚨 Microsoft Exchange – CVE-2026-45504🚨https://t.co/15LlqauuX1 pic.twitter.com/zk9xUfDVTw
— HawkTrace (@hawktrace) June 23, 2026
Affected Versions
This Microsoft Exchange vulnerability affects Exchange Server 2016 CU23, Exchange Server 2019 CU14 and CU15, and Exchange Server Subscription Edition RTM. Microsoft disclosed it during the June 2026 Patch Tuesday release.
Patch and Mitigation
Microsoft shipped fixes under KB5094144, KB5094142, KB5094140, and KB5094139. Apply the matching security update for your build right away. The patch adds proper scheme validation, which blocks file paths returned by WOPI providers. Microsoft first rated exploitation as less likely. Still, the public PoC changes that math, so treat patching as urgent. To date, no in-the-wild attacks have been confirmed. Defenders can also watch for unusual WOPI token requests paired with odd local file access.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.