← CIO Briefings · Critical Impact ACTION REQUIRED

Microsoft Exchange Server Has an Unpatched SYSTEM-Level Remote Code Execution Vulnerability — Here Is What That Means for Your Organisation

Security researchers publicly demonstrated an unpatched three-bug exploit chain against Microsoft Exchange Server at Pwn2Own Berlin 2026, achieving the highest possible privilege level (SYSTEM) on a fully updated Exchange Server without any password or user account. The patch will arrive within 90 days. Organisations must prepare defensive measures immediately and plan for emergency patching when it arrives.

4 min read
#GDPR#NIS2#DORA#ISO-27001

What Happened

Cybersecurity researchers from the DEVCORE Research Team publicly demonstrated an attack against Microsoft Exchange Server — the software used by many organisations to run their internal and external email systems — at the Pwn2Own Berlin 2026 security competition. The attack used three previously unknown vulnerabilities chained together to achieve the highest possible level of control over an Exchange Server without requiring any password, user account, or prior access.

This level of access — called “SYSTEM” in Windows terminology — means an attacker can read every email on the server, impersonate any user, install persistent software, and use the compromised server as a launch point for further attacks against the rest of the network.

Microsoft received full technical details of the vulnerabilities under the responsible disclosure rules of the Pwn2Own competition and has up to 90 days to release a security fix. The technical details of the attack are confidential until the fix is released. No evidence of exploitation in the wild has been reported.

The same research team (DEVCORE) previously discovered other major Exchange Server vulnerabilities in 2021 — “ProxyLogon” and “ProxyShell” — which were subsequently exploited globally by nation-state actors and cybercriminal groups.

Business Impact

An attacker who achieves this level of access to your Exchange Server would have access to:

  • All email communications across the organisation — past and present email for all users, including executive, legal, finance, and human resources correspondence
  • Meeting invitations, calendar data, and contact lists for all employees
  • Email attachments — contracts, financial documents, strategic plans, personal data
  • Credentials and authentication material — Exchange Servers typically process and store credentials in ways that an attacker with SYSTEM access can extract

The combination of DEVCORE’s team history (prior Exchange exploits were weaponised within days of patch release by sophisticated attackers) and the public demonstration creates a high likelihood that this vulnerability will be actively exploited in the wild as soon as the patch is released and technical details begin to circulate.

Regulatory Implications

Organisations processing personal data on Exchange Server may face GDPR obligations if this vulnerability is exploited and email data is accessed. Under GDPR Article 33, a personal data breach requires supervisory authority notification within 72 hours. Under NIS2, essential and important services must notify their national CSIRT of significant incidents within 24 hours. DORA financial entities should pre-assess this scenario under their incident classification framework.

Board-Ready Summary

  • Security researchers publicly demonstrated they can access our email server with complete control and without any password. This is a confirmed, publicly demonstrated capability.
  • No evidence of criminals using this attack yet. The technical details are being kept confidential for up to 90 days while Microsoft develops a fix.
  • Given this research team’s history, when the fix is released, sophisticated attackers will likely attempt to exploit it rapidly.
  • We are implementing protective measures now and have scheduled emergency patching for when the fix arrives.

  1. Restrict Exchange Server network access (this week): Ensure that Exchange Server HTTPS (port 443) is not directly accessible from the internet without a Web Application Firewall (WAF) and that management interfaces (Exchange Admin Centre) are accessible only from the management network or a privileged access workstation (PAW). Reducing internet-facing exposure limits which attackers can attempt to exploit this vulnerability.

  2. Verify Exchange Emergency Mitigation Service is active: Run Get-ExchangeServer | ft Name, MitigationsEnabled — confirm MitigationsEnabled shows True for all Exchange Servers. This automatic service applies protective rules as they become available and provides Microsoft with the first line of response capability.

  3. Audit who can reach your Exchange Servers on port 443: Review firewall rules, network access control lists, and reverse proxy configurations. Any IP range that does not need to reach Exchange for business purposes should be blocked.

  4. Prepare emergency patch procedures now: Identify the system owners, approval chain, and deployment process for Exchange security updates. Pre-stage the change request and test environment so that when Microsoft releases the patch, deployment can begin within hours rather than days.

  5. Increase monitoring on Exchange Servers: Work with your security operations team to increase monitoring sensitivity on Exchange Servers for the next 90 days — specifically for unusual processes spawned by Exchange, unexpected outbound network connections from Exchange, and new files created in Exchange web directories.