Microsoft Exchange Server CVE-2026-28389 poses critical risk with CVSS 9.8 rating. Attackers can execute remote code without authentication. Patch immediately.
Microsoft Exchange Server CVE-2026-28389: Critical Remote Code Execution Vulnerability
Microsoft has issued an emergency security advisory for CVE-2026-28389, a critical vulnerability affecting Microsoft Exchange Server versions 2016 and 2019. The flaw carries a CVSS v3.1 base score of 9.8 out of 10, indicating maximum severity.
Vulnerability Details
The vulnerability exists in the Exchange Server's Autodiscover service, specifically within the ECP (Exchange Control Panel) component. Attackers can exploit this flaw to execute arbitrary code on vulnerable systems without requiring authentication.
Technical Impact:
- Remote code execution without credentials
- Full system compromise possible
- No user interaction required
- Network-based attack vector
Affected Products
- Microsoft Exchange Server 2016 Cumulative Update 23 and earlier
- Microsoft Exchange Server 2019 Cumulative Update 16 and earlier
Exchange Online and Microsoft 365 services are not affected, as the vulnerability only impacts on-premises deployments.
Attack Vector
Attackers can exploit this vulnerability by sending specially crafted HTTP requests to the Autodiscover endpoint. The attack requires network access to the Exchange Server, either directly or through exposed services.
Mitigation Steps
Immediate Actions Required:
- Apply security updates immediately from Microsoft Update Catalog
- Block external access to Autodiscover endpoints if not needed
- Monitor network traffic for suspicious Autodiscover requests
- Consider temporary server isolation if patching cannot be performed immediately
Patch Availability:
- Security updates released March 11, 2026
- Available through Windows Server Update Services
- Direct download from Microsoft Update Catalog
Detection Indicators
Monitor for:
- Unusual Autodiscover traffic patterns
- Failed authentication attempts on ECP endpoints
- Suspicious POST requests to Autodiscover URLs
- Unexpected system behavior or processes
Severity Assessment
This vulnerability represents an extremely high risk due to:
- Critical CVSS score of 9.8
- No authentication required
- Remote exploitation capability
- Potential for complete system compromise
Organizations running affected Exchange Server versions should prioritize patching over other security activities until systems are updated.
Comments
Please log in or register to join the discussion