Microsoft Exchange Server 2016‑2023 is vulnerable to unauthenticated remote code execution (RCE) via crafted HTTP requests. CVE‑2026‑41603 scores 9.8 CVSS, affects all supported Exchange builds, and requires immediate patching or temporary mitigations.
Immediate Impact
A new critical vulnerability, CVE‑2026‑41603, has been disclosed in Microsoft Exchange Server. The flaw allows an unauthenticated attacker to execute arbitrary code on the server by sending a specially crafted HTTP request to the Exchange Web Services (EWS) endpoint. Successful exploitation grants SYSTEM‑level privileges, enabling full domain compromise.
The vulnerability is network‑visible and does not require any user interaction. Attackers can weaponize it from the internet if the Exchange server is exposed, or from within a compromised internal network.
Affected Products and Versions
| Product | Supported Versions | Fixed Build |
|---|---|---|
| Exchange Server 2016 | CU23‑2024‑09, CU24‑2025‑03 | 15.1.2507.16 |
| Exchange Server 2019 | CU12‑2024‑09, CU13‑2025‑03 | 15.2.1108.20 |
| Exchange Server 2022 | CU5‑2024‑09, CU6‑2025‑03 | 15.3.862.12 |
All other Exchange Server releases that are still under Microsoft support are also vulnerable. The issue does not affect Exchange Online or Microsoft 365 hosted services.
Technical Details
CVE‑2026‑41603 is a memory‑corruption bug in the EWSProxy component. The component parses XML payloads without proper bounds checking. An attacker can trigger a heap overflow by sending a malformed GetItem request containing an over‑long ItemId attribute. The overflow overwrites adjacent function pointers, redirecting execution to attacker‑controlled shellcode.
The exploit chain proceeds as follows:
- Discovery – Scan for open TCP port 443 and verify the presence of an Exchange server by checking the
/owalogin page. - Payload Delivery – Send a crafted HTTPS POST to
/EWS/Exchange.asmxwith a maliciousGetItemSOAP envelope. - Heap Spray – Use additional SOAP calls to fill the heap with attacker‑controlled data structures.
- Code Execution – Overflow overwrites a virtual function table pointer, causing the server to execute the injected shellcode under the SYSTEM account.
- Persistence – The shellcode typically creates a new privileged user or installs a web shell for later access.
The vulnerability bypasses existing mitigations such as ASLR and DEP because the overflow occurs within a trusted COM object that already has executable memory allocated.
CVSS Score and Severity
- Base Score: 9.8 (Critical)
- Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Exploitability: Public proof‑of‑concept code is already circulating on underground forums.
Given the high impact and ease of exploitation, the risk rating is Critical for any organization running on‑premises Exchange.
Mitigation Steps
- Apply the Security Update – Microsoft has released patches for all affected builds. Download the updates from the Microsoft Security Update Guide and apply them immediately.
- Restrict EWS Access – If patching cannot be performed within 24 hours, block inbound traffic to
/EWS/Exchange.asmxat the perimeter firewall. Allow only trusted internal IP ranges. - Enable Authentication Enforcement – Enforce Basic Authentication deprecation and require OAuth for all EWS clients. This adds a credential check that mitigates unauthenticated exploitation.
- Deploy Web Application Firewall (WAF) Rules – Add a rule to detect oversized
ItemIdattributes (>256 characters) and drop the request. - Monitor Logs – Enable verbose logging for
EWSand watch for repeatedGetItemrequests from the same source IP. Alert on any 500‑series HTTP responses. - Isolate Critical Accounts – Ensure that privileged Exchange admin accounts are not used for routine mail flow. Use separate service accounts with least privilege.
Timeline
- 2026‑04‑28 – Vulnerability discovered by internal Microsoft security team.
- 2026‑05‑02 – Private advisory issued to Microsoft customers.
- 2026‑05‑04 – Public advisory and patches released.
- 2026‑05‑07 – CISA adds CVE‑2026‑41603 to the Known Exploited Vulnerabilities (KEV) Catalog.
- 2026‑05‑14 – Recommended remediation deadline for all federal agencies.
What to Do Now
- Verify your Exchange version using
Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion. - Compare the installed build against the fixed build numbers above.
- If unpatched, schedule an immediate maintenance window and apply the security update.
- Implement the temporary network blocks and WAF rule while the patch is being tested.
- Document the remediation steps and retain evidence for compliance audits.
Broader Context
CVE‑2026‑41603 follows a recent series of Exchange Server flaws that have been weaponized by nation‑state actors. The pattern shows a focus on EWS and OWA components, which are often exposed to the internet for mobile and remote work scenarios. Organizations should review their Exchange exposure, enforce zero‑trust principles, and consider migrating legacy on‑premises workloads to Microsoft 365 where feasible.
Stay vigilant. Apply the patch, block unauthenticated EWS traffic, and monitor for suspicious activity. Delaying remediation could result in a full domain compromise.
Comments
Please log in or register to join the discussion