Critical Remote Code Execution Flaw in Microsoft Exchange Server (CVE‑2026‑23272) – Immediate Action Required

Immediate Impact

A remote code execution (RCE) flaw has been disclosed in Microsoft Exchange Server. The vulnerability, tracked as CVE‑2026‑23272, allows unauthenticated attackers to run arbitrary commands on vulnerable servers. The CVSS v3.1 base score is 9.8 (Critical). Exploitation is already observed in the wild, targeting both on‑premises Exchange 2016/2019 and Exchange Online tenants.

Affected Products

Product	Versions Impacted	Patch Release
Exchange Server 2016	CU23 and earlier	2026‑05‑15 (KB5029385)
Exchange Server 2019	CU12 and earlier	2026‑05‑15 (KB5029386)
Exchange Online (Microsoft 365)	All tenants	Service‑side update (effective 2026‑05‑16)

The flaw resides in the Unified Messaging (UM) transport pipeline. A specially crafted SOAP request bypasses input validation and triggers a deserialization of attacker‑controlled objects, leading to code execution under the SYSTEM account.

Technical Details

• Vulnerability Type: Improper input validation → unsafe deserialization.
• Entry Point: Get-UMCallDataRecords PowerShell cmdlet exposed via the Exchange Web Services (EWS) endpoint.
• Exploit Mechanics: The attacker sends a malformed XML payload containing a serialized .NET object. The Exchange service fails to enforce type constraints, allowing the object to be instantiated and its Process.Start method invoked.
• Privilege Escalation: Because the EWS service runs as SYSTEM, the attacker gains full control of the host OS, enabling domain admin credential theft, ransomware deployment, or lateral movement.
• Detection: Indicators of compromise (IOCs) include outbound connections to *.malicious‑cnc.net on ports 443/8443, creation of C:\Windows\Temp\exchsvc_*.exe, and Event ID 4663 entries for the System32\spool\ directory.

Mitigation Steps

1. Apply the Emergency Patch
   • Download and install KB5029385 (Exchange 2016) or KB5029386 (Exchange 2019) from the Microsoft Update Catalog.
   • For Exchange Online, no action is required; Microsoft applied the fix automatically on 2026‑05‑16.
2. Block the EWS Endpoint
   • If immediate patching is not possible, create a firewall rule to block inbound traffic to TCP 443 on the Exchange server's EWS virtual directory (/EWS/Exchange.asmx).
3. Disable Unused UM Services
   • Run Remove-UMMailboxPolicy for any mailbox that does not require Unified Messaging.
4. Enable Extended Logging
   • Set Set-EventLogLevel -Identity "MSExchange Unified Messaging" -Level High to capture detailed EWS request logs.
5. Monitor for IOCs
   • Deploy a detection rule in Microsoft Sentinel or any SIEM to alert on the XML payload pattern "<SerializedObject> and the suspicious process creation events.
6. Update Antivirus Definitions
   • Ensure AV solutions have the latest signatures that detect the exchsvc_*.exe payload.

Timeline

• 2026‑05‑10: Vulnerability reported to Microsoft via the MSRC coordinated disclosure program.
• 2026‑05‑12: Microsoft reproduces the issue and assigns CVE‑2026‑23272.
• 2026‑05‑14: Emergency patch built and tested.
• 2026‑05‑15: Public release of security advisory and patches (MSRC Advisory 2026‑05‑15). Advisory link: Microsoft Security Update Guide.
• 2026‑05‑16: Service‑side update rolled out to Exchange Online.
• 2026‑05‑22: This article published to inform the community.

What to Do Next

• Verify patch installation with Get-HotFix -Id KB5029385 or KB5029386.
• Run a compliance scan (e.g., Microsoft Defender for Identity) to confirm no lingering vulnerable instances.
• Review your incident response playbook. If you suspect compromise, isolate the server, collect memory dumps, and follow the Microsoft Incident Response guide.

Do not postpone. The exploit chain is simple, and active threat actors are already scanning the internet for vulnerable Exchange servers. Apply the patch now, block the EWS endpoint if you cannot patch immediately, and monitor for suspicious activity.