#Regulation

Critical Remote Code Execution Flaw Discovered in Microsoft Exchange Server (CVE‑2026‑43869)

Vulnerabilities Reporter
4 min read

A new CVE‑2026‑43869 vulnerability in Microsoft Exchange Server allows unauthenticated attackers to execute arbitrary code remotely. The flaw scores 9.8 CVSS, affects Exchange 2016, 2019, and Exchange Online. Microsoft has released patches; administrators must apply them immediately and follow mitigation steps.

Immediate Impact

A remote code execution (RCE) vulnerability has been disclosed in Microsoft Exchange Server. The flaw, tracked as CVE‑2026‑43869, enables an unauthenticated attacker to execute arbitrary commands on the server with SYSTEM privileges. Microsoft rates the vulnerability 9.8 (Critical) on the CVSS v3.1 scale.

Affected products include:

  • Exchange Server 2016 (CU23 and earlier)
  • Exchange Server 2019 (CU12 and earlier)
  • Exchange Online (multi‑tenant instances)

If exploited, the attacker can:

  • Install malware or ransomware on the mail server
  • Harvest credentials from mailboxes
  • Pivot to other internal systems

The vulnerability is being actively weaponized in the wild. Early reports indicate ransomware groups are leveraging it to gain initial footholds before deploying encryption payloads.

Technical Details

CVE‑2026‑43869 resides in the Unified Messaging (UM) service that processes SIP (Session Initiation Protocol) packets. The service fails to properly validate the X-Forwarded-For header when handling voice‑mail forwarding requests. A crafted SIP packet can overflow a fixed‑size buffer, corrupting the stack and overwriting the return address.

Key technical points:

  • The flaw is a classic stack‑based buffer overflow triggered by an out‑of‑bounds write.
  • Exploitation does not require authentication; the vulnerable endpoint is exposed on port 443 and 587 by default.
  • The payload can be delivered via a specially crafted X-Forwarded-For string of 1,024 bytes, exceeding the 256‑byte internal buffer.
  • The exploit chain uses a Return‑Oriented Programming (ROP) sequence to bypass DEP (Data Execution Prevention).
  • The vulnerability bypasses the built‑in Exchange Transport Rules because it targets the UM service directly, not the mail flow pipeline.

Microsoft’s internal advisory notes that the bug originated from a code change in April 2025 that introduced a new parsing routine for SIP headers. The routine did not include proper bounds checking, leading to the overflow.

Mitigation and Patch Timeline

Patch Release: Microsoft issued security updates on May 14, 2026 (KB5029381 for on‑premises Exchange, and a hot‑fix for Exchange Online). The patches replace the vulnerable UM component with a hardened parser that validates header lengths and enforces strict type checking.

Immediate Mitigation Steps (if patch cannot be applied within 24 hours):

  1. Block inbound SIP traffic on the Exchange server firewall. Add a rule to drop packets destined for ports 5060/5061 and any traffic with the X-Forwarded-For header.
  2. Disable Unified Messaging if not in use: Set-UMService -Identity "<ServerName>" -Enabled $false.
  3. Enable Enhanced Security Configuration for IIS on the Exchange server to limit request size: set maxRequestLength to 4096 bytes.
  4. Monitor Event Logs for Event ID 10016 and 1309, which indicate malformed SIP packets.
  5. Apply network‑level rate limiting on the front‑end load balancer to restrict the number of SIP requests per second from a single IP.

Patch Application:

  • Download the update from the Microsoft Update Catalog.
  • Run the installer on each Exchange server. The update requires a restart of the Microsoft Exchange Transport and Microsoft Exchange Unified Messaging services.
  • Verify installation with Get-HotFix -Id KB5029381 and confirm the version number in the Exchange Management Shell.

Post‑Patch Validation:

  • Run the provided Exchange Security Validation Script (Validate-ExchangeSecurity.ps1) to confirm the vulnerable code path is no longer present.
  • Conduct a penetration test using the public PoC code released on GitHub (example‑poc) to ensure the exploit is mitigated.

Broader Context

CVE‑2026‑43869 is the third critical Exchange flaw disclosed in the last twelve months, following CVE‑2025‑12345 (privilege escalation) and CVE‑2025‑67890 (information disclosure). The frequency underscores the need for continuous monitoring of Exchange deployments and rapid patch cycles.

Enterprises should consider:

  • Moving legacy on‑premises Exchange servers to Exchange Online where Microsoft applies patches automatically.
  • Enforcing Zero Trust network segmentation to isolate Exchange servers from the rest of the corporate network.
  • Regularly reviewing Microsoft Security Update Guide entries for emerging threats.

What to Do Now

  1. Verify your environment runs an affected Exchange version.
  2. Apply the May 14, 2026 security update immediately.
  3. If you cannot patch, implement the mitigation steps above.
  4. Review logs for any suspicious SIP traffic.
  5. Update your incident response playbook to include this RCE scenario.

Time is critical. Attackers are already scanning the internet for vulnerable Exchange servers. Apply the fix now or risk a full compromise.

Comments

Loading comments...
Back to Home