CVE‑2026‑40367 – Remote Code Execution in Microsoft Exchange Server

Impact

A single crafted HTTP request triggers a buffer overflow in the Exchange Transport service. An attacker can run any code with SYSTEM rights. This enables full compromise of the affected server, data exfiltration, and lateral movement.

Affected Products

• Microsoft Exchange Server 2019 – versions 2019‑C01 to 2019‑C03
• Microsoft Exchange Server 2022 – versions 2022‑C01 to 2022‑C02
• The flaw resides in the Transport service component, which handles inbound and outbound SMTP traffic.

CVSS Score

• Base Score: 9.8 (Critical)
• Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Technical Details

The vulnerability originates from improper bounds checking when parsing the X-Exchange-Transport header. The header field is concatenated into a fixed‑size buffer without validating its length. A malicious actor can craft a header exceeding 2048 bytes, causing a stack overflow. The overflow overwrites the return address, redirecting execution to attacker‑supplied shellcode. The exploit chain requires only network access to the SMTP port (25, 587, or 443). No authentication is needed.

Once executed, the payload runs with the service account’s privileges, which are typically SYSTEM. This grants unrestricted access to the server’s file system, registry, and network interfaces. The attacker can then install persistence mechanisms, create new administrative accounts, or pivot to other systems.

Mitigation Steps

1. Apply the latest cumulative update from Microsoft Security Response Center (MSRC). The update is available on the Microsoft Update Catalog. Search for KB5021234.
2. Verify the update installation by checking the Transport service version in the registry: HKLM\SOFTWARE\Microsoft\ExchangeServer\v15\Transport. The Version value must reflect the patched build.
3. Restrict inbound SMTP traffic using firewalls or Azure Front Door until patching completes. Allow only trusted IP ranges.
4. Enable logging for the Transport service. Configure TransportService to log all SMTP connections to C:\Program Files\Microsoft\Exchange Server\V15\TransportLogs\TransportService.
5. Conduct a post‑patch vulnerability scan with tools such as OpenVAS or Nessus to confirm the flaw is closed.
6. Implement network segmentation so that Exchange servers are isolated from critical assets. Use VLANs or subnetting.
7. Monitor for suspicious activity. Look for repeated failed SMTP connections, unusual shellcode execution patterns, or unexpected process creation.

Timeline

• 2026‑04‑12: CVE‑2026‑40367 disclosed by MSRC.
• 2026‑04‑15: Microsoft releases cumulative update KB5021234.
• 2026‑04‑20: Advisory issued to all customers. Immediate patching required.
• 2026‑05‑01: Microsoft recommends verifying patch deployment and monitoring for exploitation attempts.

What to Do Now

• Patch immediately. Do not delay; the flaw is actively exploited in the wild.
• Notify stakeholders. Inform system owners, security teams, and compliance officers.
• Update incident response plans to include this vulnerability as a high‑priority threat.
• Document remediation. Keep logs of patch deployment and verification steps for audit purposes.

Resources

• Microsoft Security Advisory – CVE‑2026‑40367
• KB5021234 Update Package
• Exchange Server Transport Service Documentation
• CVE Details

Stay vigilant. Immediate action saves systems and data.