CVE-2026-42897: Exchange Local Under Fire Without Need for Login

The CVE-2026-42897 vulnerability is being actively exploited in on-premises Microsoft Exchange servers. This flaw allows an attacker to compromise the system by simply sending a malicious email. Most critically, no authentication is required, making any exposed server an easy target for unauthorized access and potential data theft.

cinematic technical illustration of a Microsoft Exchange server rack under cyberattack, malicious email envelope with glowing red payload entering the server through an open port, unauthenticated access visualized as a broken firewall barrier, data streams flowing from internal hard drives to an external hacker silhouette, process of exploitation occurring without login credentials, glowing red threat indicators on server components, dark server room atmosphere with emergency red lighting, photorealistic engineering render, dramatic shadows, metallic server chassis with blinking LEDs, network cables highlighted with neon tracing, ultra-detailed hardware textures

The technical mechanism behind the credential-less attack 🛡️

The flaw resides in Exchange's incoming message handling component. When processing an email with manipulated header fields, the service fails to properly validate the input before passing it to the command execution engine. This allows arbitrary code injection within the system context. Since the attack vector is a simple email, any server with the SMTP port open is vulnerable without requiring user interaction or prior privileges.

The email that arrives and the server that departs 😅

It turns out the inbox no longer just brings spam about Nigerian inheritances; now it also brings an RCE as a bonus. Attackers have discovered that real phishing isn't about stealing your password, but about stealing your entire server with a simple Hi, I'm the boss. And while Microsoft prepares a patch, all that's left for us is to hope the attacker has good taste and doesn't delete the office photos.