Microsoft has confirmed a critical zero-day vulnerability in Exchange Server 2019 that is being actively exploited by state-sponsored threat actors. The flaw, tracked as CVE-2026-21893, allows remote code execution without authentication through specially crafted email messages.
Security researchers at Volexity first detected the exploitation on April 12, observing attacks targeting government agencies and defense contractors in North America and Europe. Microsoft has released an emergency out-of-band patch and urges immediate deployment.
Organizations unable to patch immediately should implement the provided mitigation steps, which include disabling certain Exchange web services and applying network-level filtering rules.
