#Vulnerabilities

Critical Microsoft Exchange Server Vulnerability CVE-2026-27142 Requires Immediate Patching

Vulnerabilities Reporter
2 min read

Microsoft Exchange Server CVE-2026-27142 allows remote code execution with CVSS 9.8 severity. Patch immediately or apply workarounds.

Critical Exchange Server Vulnerability CVE-2026-27142 Demands Immediate Action

Microsoft has issued an emergency security update for CVE-2026-27142, a critical vulnerability in Exchange Server that enables remote code execution without authentication. The vulnerability affects multiple Exchange Server versions and carries a CVSS v3.1 base score of 9.8.

What's Affected

The vulnerability impacts:

  • Microsoft Exchange Server 2016 Cumulative Updates through CU23
  • Microsoft Exchange Server 2019 Cumulative Updates through CU16
  • Microsoft Exchange Server 2021 Cumulative Updates through CU9

Exchange Online and Microsoft 365 services are not affected, as they operate on separate infrastructure.

Technical Details

The vulnerability exists in the Exchange Server's Autodiscover service, which processes client requests for configuration information. Attackers can exploit this flaw by sending specially crafted Autodiscover requests to unpatched servers, potentially gaining SYSTEM-level privileges.

Microsoft reports that the vulnerability is being actively exploited in limited targeted attacks, though widespread exploitation has not yet been observed.

Immediate Mitigation Steps

Administrators should:

  1. Apply security updates immediately - Microsoft has released patches for all affected versions
  2. Block external access to Autodiscover endpoints - Use firewall rules to restrict access to trusted IP ranges
  3. Enable enhanced logging - Monitor for suspicious Autodiscover requests
  4. Validate Exchange Server configuration - Ensure proper authentication settings are enabled

Timeline and Response

Microsoft released the security updates on April 14, 2026, following responsible disclosure from security researchers. The company coordinated with CERT/CC and other security organizations to ensure comprehensive coverage.

Additional Resources

Severity Assessment

With a CVSS score of 9.8, this vulnerability is classified as critical. The combination of remote exploitation, lack of authentication requirements, and potential for SYSTEM-level access makes this a severe threat to organizations running affected Exchange Server versions.

Microsoft recommends prioritizing patching for all Exchange Server deployments, particularly those exposed to the internet.

#Microsoft#Exchange Server#CVE-2026-27142#Remote Code Execution#Patch Management

Comments

Loading comments...
Back to Home