Executive Summary

Microsoft has released an emergency, out-of-band security update to address a critical privilege escalation vulnerability in on-premise Microsoft Exchange Server 2016 and 2019. The vulnerability, identified as CVE-2026-21445, has a CVSS score of 9.1. It is a post-authentication flaw, meaning an attacker must first possess credentials for a low-privilege user account. However, once authenticated, they can exploit the flaw to elevate their privileges to Domain Administrator, granting them complete control over the target's Active Directory forest. While there is no evidence of active exploitation yet, Microsoft deemed the flaw severe enough to warrant a patch outside the normal Patch Tuesday cycle. Administrators are strongly advised to apply the update with the highest priority.

Vulnerability Details

• CVE ID: CVE-2026-21445
• Severity: Critical (CVSS 9.1)
• Type: Privilege Escalation
• Vector: An authenticated attacker can send a specially crafted request to the Exchange PowerShell backend.
• Impact: Successful exploitation allows an attacker to escalate privileges from a standard user to a Domain Administrator.
• Prerequisite: Attacker must have credentials for a valid, non-administrative user account on the domain.

Affected Systems

• Microsoft Exchange Server 2016 (all supported Cumulative Updates)
• Microsoft Exchange Server 2019 (all supported Cumulative Updates)

Exchange Online is not affected.

Exploitation Status

As of the patch release on February 22, 2026, Microsoft has stated there is no evidence of active exploitation in the wild. However, the public disclosure and the relative simplicity of the exploit (as described by the Zero Day Initiative) mean that threat actors will likely reverse-engineer the patch and develop exploits quickly. The out-of-band nature of the release underscores the high risk of future exploitation.

Impact Assessment

A vulnerability that allows for escalation to Domain Admin is one of the most critical types of flaws in a Windows environment. A Domain Admin can control every user, computer, and server in the domain. An attacker with this level of access can deploy ransomware across the entire network, steal any data they want, create new administrator accounts for persistence, and erase their tracks. Given that the only prerequisite is a single set of low-privilege credentials—which can be easily obtained via phishing—the potential for a complete organizational compromise is extremely high.

Detection Methods

• Vulnerability Scanning: Use vulnerability management tools to scan your environment and identify all on-premise Exchange Servers that are missing the emergency patch for CVE-2026-21445.
• Log Analysis: After patching, monitor Exchange and PowerShell logs for anomalies. Specifically, look for unusual or malformed requests to the Exchange PowerShell backend. Monitor for any unexpected privilege escalation events or changes to high-privilege groups like 'Domain Admins'.
• D3FEND: Implement D3-DAM: Domain Account Monitoring to detect anomalous additions or modifications to privileged Active Directory groups.

Remediation Steps

1. Apply the Patch Immediately: The primary and most urgent action is to download and install the security update for CVE-2026-21445 from the Microsoft Security Response Center (MSRC) on all on-premise Exchange 2016 and 2019 servers.
2. Prioritize Patching: Follow a risk-based approach. Patch internet-facing Exchange servers first, followed by internal servers.
3. Verify Installation: After applying the update, follow Microsoft's guidance to verify that the patch has been successfully installed and the server is no longer vulnerable.
4. Strengthen Credential Security: As this is a post-authentication exploit, strengthening defenses against initial credential theft is crucial. Implement MFA for all users, conduct phishing awareness training, and use strong, unique passwords.