Microsoft has released an emergency out-of-band security update to address a critical remote code execution (RCE) vulnerability, CVE-2026-17747, affecting on-premises Microsoft Exchange Server 2016 and 2019. The vulnerability carries a CVSS score of 9.8 (Critical) and is being actively exploited in the wild. An unauthenticated attacker can trigger the flaw by sending a specially crafted email, leading to RCE on the server. Due to the active, albeit currently limited, exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 26-04, compelling federal agencies to apply the patch within 48 hours. All organizations with on-premises Exchange servers are strongly advised to patch immediately to prevent widespread attacks.
CVE-2026-17747 is a vulnerability in the email filtering component of Microsoft Exchange Server. It can be exploited by an unauthenticated attacker on the same network or over the internet.
The vulnerability impacts the following on-premises Microsoft Exchange Server versions:
Microsoft Exchange Online is not affected.
The vulnerability was discovered by the security firm Praetorian, which reported observing its exploitation in targeted attacks. While Microsoft's Security Response Center (MSRC) notes that exploitation is currently limited, the history of Exchange vulnerabilities (such as the 2021 Hafnium attacks) shows that they can be quickly reverse-engineered and weaponized for mass exploitation by a wide range of threat actors, from state-sponsored groups to ransomware gangs.
The inclusion of CVE-2026-17747 in CISA's Known Exploited Vulnerabilities (KEV) catalog and the issuance of an emergency directive underscore the severity and urgency of the threat.
Successful exploitation of this vulnerability gives an attacker complete control over the Exchange server. This can lead to a catastrophic security breach:
The following patterns may help identify vulnerable or compromised systems:
w3wp.execmd.exe or powershell.exe..aspx filesw3wp.exe).Network Traffic Analysis.Test-ProxyLogon.ps1 script to check for indicators of compromise. Even if you patch quickly, you may have already been compromised.Applying the emergency patch for CVE-2026-17747 is the only way to remediate the vulnerability and is the highest priority action.
Restricting external access to the Exchange server to only trusted IPs and services can reduce the attack surface, though it may not block a determined attacker.
Enabling and monitoring detailed logs for IIS, Exchange, and Windows can help detect post-exploitation activity if a server is compromised before it can be patched.
Using an EDR solution to monitor for suspicious behavior, such as an IIS process spawning a command shell, can detect and block exploitation attempts.
The primary and most critical countermeasure is the immediate application of the out-of-band security update for CVE-2026-17747. Due to the active exploitation and the server-side, unauthenticated nature of the vulnerability, this action must be prioritized above all others. Organizations should treat this as an emergency change and deploy the patch to all on-premises Exchange 2016 and 2019 servers without delay. Use Microsoft's provided scripts to verify patch installation.
In addition to patching, organizations must hunt for signs of existing compromise. Configure EDR and monitoring tools to specifically look for the IIS worker process (w3wp.exe) associated with Exchange spawning anomalous child processes. Any instance of w3wp.exe launching cmd.exe, powershell.exe, or any other unexpected binary is a high-confidence indicator of a web shell compromise, which is a common post-exploitation step for Exchange vulnerabilities. This allows for detection even if the initial exploit was missed.
Implement file integrity monitoring on critical Exchange server directories. Attackers exploiting CVE-2026-17747 will likely drop a web shell (.aspx file) to establish persistence. Configure FIM to monitor for file creation and modification in directories like C:\inetpub\wwwroot\aspnet_client\ and other Exchange web directories. An alert on a new .aspx, .ashx, or .asmx file appearing in these locations should be treated as a critical incident requiring immediate investigation.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.