Critical Remote Code Execution Vulnerability in Microsoft Exchange Server (CVE‑2026‑41091) – Immediate Action Required | LavX News

Microsoft has disclosed CVE‑2026‑41091, a remote code execution flaw affecting Exchange Server 2016, 2019, and Exchange Online. With a CVSS score of 9.8, attackers can execute arbitrary code without authentication. Organizations must apply the out‑of‑band security update released on May 22, 2026, and follow mitigation steps to block exploitation.

Impact Overview

A critical remote code execution (RCE) vulnerability, CVE‑2026‑41091, has been disclosed by the Microsoft Security Response Center (MSRC). The flaw exists in the Microsoft Exchange Server transport pipeline and can be triggered by a specially crafted HTTP request. Successful exploitation grants attackers system‑level code execution on vulnerable Exchange servers, enabling data theft, persistence, and lateral movement.

The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical). Exploitation does not require authentication, user interaction, or prior access to the network. Threat actors can weaponize the flaw within hours, as demonstrated by multiple proof‑of‑concept (PoC) releases on underground forums.

Affected Products

Product	Versions Affected	Patch Status
Exchange Server 2016	15.1.2308.7 and earlier	Out‑of‑band update released May 22 2026
Exchange Server 2019	15.2.922.13 and earlier	Out‑of‑band update released May 22 2026
Exchange Online (Office 365)	All tenants (service side)	Patched automatically on May 22 2026

On‑premises deployments that have not applied the May 2026 cumulative update remain vulnerable. Hybrid deployments inherit the risk from the on‑premises component.

Technical Details

Vulnerability Type: Remote Code Execution via improper input validation in the MapiHttp handler.
Root Cause: The server fails to correctly sanitize the X-MapiHttp-Request header when processing MAPI over HTTP requests. A crafted header can overflow an internal buffer, leading to arbitrary memory write.
Exploit Path:
1. Attacker sends an HTTP POST to https://<exchange>/ecp/ with a malicious X-MapiHttp-Request value.
2. The request bypasses authentication checks because the handler is invoked before the authentication module.
3. Buffer overflow overwrites the function pointer of the request dispatcher.
4. Attacker‑controlled shellcode runs under the SYSTEM account.
Impact: Full server compromise, ability to read/write mailboxes, extract credentials, deploy ransomware, or pivot to other internal systems.
Detection: Look for unusual X-MapiHttp-Request header values in IIS logs. Microsoft’s detection rule (ID 2026‑41091) flags requests with length > 1024 bytes.

Mitigation Steps

Apply the Security Update
- Download the out‑of‑band update from the Microsoft Update Catalog.
- Install on all Exchange servers within 24 hours of this advisory.
Temporary Work‑Around (if patch cannot be applied immediately)
- Block inbound traffic to the /ecp/ and /Microsoft-Server-ActiveSync/ endpoints on port 443 from untrusted networks via firewall rules.
- Enable Strict Transport Security (HSTS) and enforce TLS 1.2+ to reduce exposure.
Enable Advanced Threat Protection (ATP)
- Turn on Safe Links and Safe Attachments for Exchange Online users.
Audit and Monitor
- Deploy the provided detection rule in Microsoft Defender for Identity.
- Review IIS logs for X-MapiHttp-Request anomalies.
- Run the PowerShell command Get-ExchangeServerHealthReport -Identity <ServerName> to verify patch status.
Credential Rotation
- After patching, rotate any service accounts that may have been compromised.

Timeline

May 15 2026 – MSRC receives initial report from a private researcher.
May 18 2026 – Internal investigation confirms exploitability.
May 20 2026 – Public advisory issued; Microsoft prepares out‑of‑band patch.
May 22 2026 – Security update released; Exchange Online automatically patched.
May 23 2026 – CISA adds CVE‑2026‑41091 to its Known Exploited Vulnerabilities (KEV) Catalog.

Recommendations

Treat this as a high‑severity incident. Conduct a rapid risk assessment for all on‑premises Exchange servers.
Verify patch deployment with the Get-HotFix PowerShell cmdlet.
If you suspect compromise, isolate the server, capture memory dumps, and engage incident response.
Review your Zero Trust network segmentation to limit lateral movement from Exchange.

References

Official Microsoft security advisory: https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2026-41091
CISA KEV entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Proof‑of‑Concept analysis: https://github.com/securityresearchlab/CVE-2026-41091-poc
Microsoft Defender detection rule: https://learn.microsoft.com/defender-endpoint/detection-rules/cve-2026-41091

Immediate action saves data. Apply the patch now.

#Microsoft Exchange #CVE-2026-41091 #Remote Code Execution #Patch #Security Advisory

Critical Remote Code Execution Vulnerability in Microsoft Exchange Server (CVE‑2026‑41091) – Immediate Action Required