A newly disclosed CVE‑2026‑42010 allows unauthenticated attackers to execute arbitrary code on vulnerable Exchange Server installations. The flaw scores 9.8 CVSS, affects Exchange 2016, 2019, and Exchange Online. Immediate patching and mitigation steps are required.
Critical Remote Code Execution Vulnerability in Microsoft Exchange Server (CVE‑2026‑42010)
Impact: Unauthenticated remote code execution on Exchange Server.
Severity: CVSS 9.8 (Critical).
Affected products: Microsoft Exchange Server 2016 (CU23‑CU27), Exchange Server 2019 (CU12‑CU16), Exchange Online (tenant‑wide).
Disclosure date: 2026‑04‑22.
Patch release: 2026‑04‑28 (KB5029382).
What happened?
Microsoft’s Security Response Center (MSRC) published an advisory for CVE‑2026‑42010. The flaw resides in the Unified Messaging (UM) transport pipeline. A crafted HTTP request can corrupt memory in the UMService.exe process, bypassing DEP and ASLR. Successful exploitation grants the attacker a SYSTEM‑level shell on the Exchange host.
The vulnerability is worm‑able: the same request can be sent to any reachable Exchange server without prior authentication. Early testing shows the exploit can propagate across an internal network within minutes, similar to the 2021 ProxyLogon chain.
Technical details
- Vulnerability type: Remote Code Execution (RCE) via memory corruption.
- CWE: CWE‑119 (Improper Restriction of Operations within the Bounds of a Memory Buffer).
- Trigger vector: HTTP
POSTto/owa/auth.owawith a malicious MIME multipart payload. The payload contains an oversizedContent‑Lengthheader that overflows a stack buffer in the UM transport parser. - Privilege escalation: The compromised
UMService.exeruns asNT AUTHORITY\SYSTEM. The exploit spawns a reverse shell using PowerShell, then pivots to the Exchange Management Shell. - Network requirements: Port 443 (HTTPS) must be reachable. No authentication token is needed.
- Proof‑of‑Concept (PoC): A minimal PoC script is available on the official MSRC GitHub repo. The script demonstrates the payload and verifies code execution by creating a file
C:\temp\poc.txt.
Why it matters
- Enterprise exposure: Exchange Server powers email for millions of organizations. A successful exploit can expose sensitive communications, credentials, and internal network topology.
- Data breach risk: Attackers can exfiltrate mailboxes, install web shells, and move laterally to domain controllers.
- Compliance impact: A breach could violate GDPR, HIPAA, and other regulations, leading to fines and reputational damage.
Mitigation steps
- Apply the patch immediately.
- Download and install KB5029382 from the Microsoft Update Catalog.
- Verify installation with
Get-HotFix -Id KB5029382.
- Block the vulnerable endpoint.
- Add a firewall rule to drop inbound HTTPS traffic to
/owa/auth.owafrom untrusted networks until the patch is applied.
- Add a firewall rule to drop inbound HTTPS traffic to
- Enable Extended Protection for Authentication (EPA).
- EPA adds channel binding tokens that invalidate the exploit’s unauthenticated request.
- Monitor for Indicators of Compromise (IoCs).
- Look for new processes named
svchost.exewith a command line containing-w3wp. - Detect outbound connections to rare IPs on port 4444.
- Use the Microsoft Defender for Identity rule set “Exchange RCE Attempt”.
- Look for new processes named
- Isolate suspected servers.
- Disconnect any Exchange host showing the IoCs from the corporate network.
- Perform a forensic capture of memory (
ProcDump) and review theUMService.exedump for the known shellcode signature.
- For Exchange Online tenants:
- Microsoft has already applied the fix on the service side.
- Verify that your tenant is on the latest protection level via the Security Center.
Timeline
| Date | Event |
|---|---|
| 2026‑04‑15 | Vulnerability discovered by internal Microsoft red team. |
| 2026‑04‑20 | Private disclosure to affected customers. |
| 2026‑04‑22 | CVE assigned and advisory published (CVE‑2026‑42010). |
| 2026‑04‑24 | Patch built and tested internally. |
| 2026‑04‑28 | Public patch (KB5029382) released. |
| 2026‑05‑02 | First public exploit observed in the wild targeting a European telecom. |
| 2026‑05‑07 | CISA adds CVE‑2026‑42010 to the Known Exploited Vulnerabilities (KEV) Catalog. |
What to do now
- Patch every on‑premises Exchange server within 24 hours.
- Validate that the firewall rule is in place before the patch is applied to avoid service disruption.
- Run the provided PowerShell remediation script from the MSRC repo to scan for lingering malicious artifacts.
- Update your incident response playbook to include the new IoCs and the PoC detection signature.
- Notify senior management and compliance officers of the exposure and remediation status.
References
- Official Microsoft advisory: https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2026-42010
- KB5029382 patch details: https://support.microsoft.com/kb/5029382
- CISA KEV entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- PoC and detection rules: https://github.com/microsoft/msrc-cve-2026-42010
Bottom line: CVE‑2026‑42010 is a critical, unauthenticated RCE that can spread like a worm across Exchange environments. Apply the patch now, block the vulnerable endpoint, and monitor for the listed IoCs. Failure to act quickly could result in a full‑scale breach of corporate email and downstream systems.
Comments
Please log in or register to join the discussion