The Cybersecurity and Infrastructure Security Agency issued an emergency directive today ordering all federal civilian agencies to patch a critical zero-day vulnerability in Microsoft Exchange Server within 48 hours. The vulnerability, tracked as CVE-2026-21893, allows unauthenticated remote code execution and is being actively exploited by at least two state-sponsored threat groups.
Microsoft released an out-of-band security update late Monday night addressing the flaw, which affects Exchange Server 2019 and the hybrid components of Exchange Online. CISA said it has observed exploitation attempts targeting government agencies, defense contractors, and critical infrastructure operators since April 10, suggesting the vulnerability was being used as a zero-day before its public disclosure.
Organizations running on-premises Exchange are urged to apply the patch immediately or disconnect affected servers from the internet as an interim mitigation. CISA is also recommending that organizations review their Exchange server logs for indicators of compromise dating back to early April. The directive marks the fourth emergency order CISA has issued in 2026, underscoring the persistent threat that unpatched server software poses to national security.
