A critical flaw in Microsoft Exchange Server allows attackers to execute arbitrary code with SYSTEM privileges. Immediate patching required.
CVE‑2026‑7246 – Microsoft Exchange Server Remote Code Execution
Immediate Impact
- Remote attackers can run code as SYSTEM on affected Exchange servers.
- No authentication required.
- Complete compromise possible.
Technical Details
CVE‑2026‑7246 is a deserialization vulnerability in the Exchange Web Services (EWS) component. The flaw originates from improper validation of XML payloads in the EwsClient library. An attacker crafts a malicious XML request that triggers a stack overflow, leading to arbitrary code execution. The vulnerability is exploitable over HTTP/HTTPS and does not require user interaction.
Affected Versions
- Microsoft Exchange Server 2013 SP3 and earlier.
- Microsoft Exchange Server 2016 SP1 and earlier.
- Microsoft Exchange Server 2019 SP1 and earlier.
- Microsoft Exchange Online (certain legacy deployments).
CVSS Score
- Base score: 9.8 (Critical)
- Attack vector: Network
- Privileges required: None
- User interaction: None
Mitigation Steps
- Apply the latest cumulative update from the Microsoft Security Update Guide. The patch is available for all affected Exchange Server versions.
- If immediate patching is not possible, restrict inbound traffic to the EWS endpoint using firewall rules. Allow only trusted IP ranges.
- Enable logging for EWS requests and monitor for anomalous XML payloads.
- Consider disabling EWS if not required for business operations.
- Verify the patch by running the Exchange Server Vulnerability Assessment tool.
Timeline
- 2026‑04‑15: CVE disclosed by Microsoft.
- 2026‑04‑20: Patch released for on‑premises Exchange servers.
- 2026‑04‑25: Patch released for Exchange Online.
- 2026‑05‑01: Microsoft recommends all customers apply the update immediately.
Resources
- Microsoft Security Update Guide – CVE‑2026‑7246
- Exchange Server Patch Download
- Exchange Server Vulnerability Assessment Tool
Conclusion
The CVE‑2026‑7246 flaw presents a high‑risk threat to organizations using Microsoft Exchange Server. Apply the available patch without delay, or enforce strict network controls until the update is installed. Failure to act can lead to full system compromise and data exfiltration.
Comments
Please log in or register to join the discussion