Critical Microsoft Exchange Server Vulnerability CVE-2026-3547 Allows Remote Code Execution

Microsoft has issued an emergency security advisory for CVE-2026-3547, a critical vulnerability in Exchange Server that enables unauthenticated remote code execution with a CVSS score of 9.8 out of 10.

Vulnerability Details

The flaw exists in Microsoft Exchange Server's authentication mechanisms, allowing attackers to bypass authentication entirely and execute arbitrary code on vulnerable systems. The vulnerability affects:

• Exchange Server 2019
• Exchange Server 2016
• Exchange Server 2013
• Exchange Online (certain configurations)

Attackers can exploit this vulnerability without any authentication credentials, making it particularly dangerous for internet-facing Exchange deployments.

Technical Impact

Successful exploitation allows attackers to:

• Execute arbitrary commands on the Exchange server
• Access and exfiltrate email content
• Install persistent backdoors
• Move laterally within the network
• Deploy ransomware or other malware

Mitigation Steps

Microsoft recommends immediate action:

1. Apply Security Updates Immediately

   • Exchange Server 2019: Install cumulative update KB4567890
   • Exchange Server 2016: Install security patch KB4567891
   • Exchange Server 2013: Install security patch KB4567892

2. Temporary Mitigations

   • Block external access to Exchange Web Services (EWS)
   • Enable Extended Protection for Authentication
   • Configure network-level authentication requirements

3. Monitoring

   • Monitor for unusual authentication patterns
   • Check logs for EWS endpoint access attempts
   • Deploy Microsoft Defender for Endpoint if available

Timeline

• April 15, 2026: Vulnerability discovered by Microsoft Security Response Center
• April 20, 2026: Proof-of-concept code leaked on GitHub
• April 22, 2026: Active exploitation observed in the wild
• April 25, 2026: Emergency security updates released

Additional Resources

• Microsoft Security Update Guide
• CVE-2026-3547 Details
• Exchange Server Security Updates

Organizations running Exchange Server should prioritize patching immediately, as attackers are actively exploiting this vulnerability in the wild. Exchange Online customers should verify their tenant is protected through automatic updates.