Full Report
Microsoft security advisory (AV26-473)
Analysis Summary
# Vulnerability: Microsoft Exchange Server Spoofing Vulnerability
## CVE Details
- **CVE ID:** CVE-2026-42897
- **CVSS Score:** 9.8 (Critical) - *Note: Based on Microsoft's "Critical" classification and reported exploitation.*
- **CWE:** CWE-290 (Authentication Bypass by Spoofing) / CWE-918 (Server-Side Request Forgery)
## Affected Systems
- **Products:** Microsoft Exchange Server (On-premises)
- **Versions:**
- Microsoft Exchange Server 2016 (Any update level)
- Microsoft Exchange Server 2019 (Any update level)
- Exchange Server Subscription Edition (SE) (Any update level)
- **Configurations:** Systems running on-premises; hosted Exchange Online is generally not affected unless in hybrid configurations utilizing these specific on-premises versions.
## Vulnerability Description
CVE-2026-42897 is a critical spoofing vulnerability existing in Microsoft Exchange Server. While the technical specifics are restricted during the initial disclosure phase, this type of vulnerability typically allows an unauthenticated attacker to impersonate a legitimate user or administrative account. In the context of Exchange, this can lead to unauthorized access to mailboxes, privilege escalation within the Active Directory environment, or the ability to bypass security filters.
## Exploitation
- **Status:** **Exploited in the wild** (Limited exploitation reported by Microsoft).
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Access to sensitive email data and communications)
- **Integrity:** High (Ability to modify mail flow, permissions, or configuration)
- **Availability:** High (Potential for service disruption through administrative account takeover)
## Remediation
### Patches
- Microsoft has released Security Updates (SU) for the May 2026 cycle. Administrators should immediately apply the latest Cumulative Update (CU) and Security Update corresponding to their specific Exchange version.
### Workarounds
- **Exchange Emergency Mitigation (EM) Service:** Ensure the EM service is enabled and running. Microsoft can push automated mitigations via this service to protect servers before a manual patch is applied.
- **Certificate-Based Authentication:** Ensure robust authentication protocols are enforced to reduce the efficacy of spoofing.
## Detection
- **Indicators of Compromise:** Monitor Exchange Audit Logs for unusual administrative actions or access to multiple mailboxes from an external IP address.
- **Detection methods and tools:**
- Use the `HealthChecker.ps1` script provided by the Exchange Team to verify patch levels.
- Review IIS logs for unusual POST requests to EWS (Exchange Web Services) or OWA (Outlook Web Access) endpoints.
## References
- hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-42897
- hxxps[://]learn[.]microsoft[.]com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-emergency-mitigation-service
- hxxps[://]techcommunity[.]microsoft[.]com/t5/exchange-team-blog/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/ba-p/4518498