Microsoft Exchange Server CVE-2026-23399 poses critical risk to organizations using affected versions, enabling remote code execution without authentication.
A critical vulnerability has been discovered in Microsoft Exchange Server that allows unauthenticated attackers to execute arbitrary code remotely. Microsoft has assigned CVE-2026-23399 to this vulnerability, which affects multiple versions of Exchange Server software.
The vulnerability exists in the way Exchange Server processes certain requests, creating a path for attackers to bypass authentication entirely. Organizations running affected versions should prioritize applying security updates as threat actors are actively exploiting this flaw in the wild.
Affected Products and Versions
Microsoft has confirmed that the following Exchange Server versions are vulnerable:
- Exchange Server 2016 (cumulative updates 1-25)
- Exchange Server 2019 (cumulative updates 1-15)
- Exchange Online instances prior to the security update deployment
The vulnerability affects both on-premises deployments and certain Exchange Online configurations. Organizations using hybrid setups should ensure both environments are updated.
Technical Details
The vulnerability stems from improper input validation in the Exchange Server's web services component. Attackers can craft malicious requests that trigger memory corruption, leading to arbitrary code execution in the context of the Exchange Server process.
Microsoft rates this vulnerability as "Critical" with a CVSS v3.1 score of 9.8 out of 10. The high severity stems from:
- No authentication required for exploitation
- Remote attack vector
- High impact on confidentiality, integrity, and availability
- Low complexity for successful exploitation
Mitigation and Workarounds
Microsoft recommends immediate action:
- Apply the latest security updates for your Exchange Server version
- Enable enhanced logging to detect exploitation attempts
- Consider temporarily blocking external access to Exchange Web Services if immediate patching isn't possible
- Review and update firewall rules to limit exposure
Security updates are available through:
- Microsoft Update Catalog
- Windows Server Update Services (WSUS)
- Microsoft Endpoint Configuration Manager
- Exchange Admin Center for Exchange Online
Timeline and Response
Microsoft released the security advisory on [date] following responsible disclosure. The company coordinated with security researchers who discovered the vulnerability during routine security assessments.
Attackers began exploiting the vulnerability within 24 hours of public disclosure, targeting organizations across multiple sectors including healthcare, education, and financial services. Microsoft Threat Intelligence reports indicate automated scanning tools are being used to identify vulnerable systems.
Detection and Monitoring
Organizations should monitor for:
- Unusual authentication failures
- Unexpected Exchange Server process crashes
- Suspicious web service requests to /EWS/ or /OWA/ endpoints
- Network traffic patterns indicating reconnaissance
Microsoft provides detection guidance through its security portal, including specific event IDs to monitor and PowerShell scripts for vulnerability assessment.
Additional Resources
For detailed technical information, visit:
Organizations should treat this vulnerability with the highest priority and ensure all affected systems are patched within 48 hours of availability to minimize exposure to active exploitation.
Comments
Please log in or register to join the discussion