CISA Issues Emergency Directive Over Critical Microsoft Exchange Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive requiring all federal civilian executive branch agencies to patch or mitigate a critical zero-day vulnerability in Microsoft Exchange Server within 48 hours.

The vulnerability, CVE-2026-21400, allows unauthenticated remote attackers to achieve code execution on affected Exchange servers. Microsoft released an out-of-band patch earlier today after determining the flaw was being actively exploited.

"We are aware of limited, targeted attacks exploiting this vulnerability," Microsoft stated in its security advisory. The company credits Mandiant with discovering the exploitation and reporting the vulnerability.

According to Mandiant, a suspected Chinese state-sponsored threat actor has been exploiting the vulnerability since at least March 2026 to deploy web shells on Exchange servers belonging to organizations in the defense and technology sectors.

"The attacks we've observed are highly targeted and sophisticated," said Charles Carmakal, Mandiant's CTO. "The threat actor is demonstrating detailed knowledge of victims' environments, suggesting extensive prior reconnaissance."

CISA's emergency directive applies to all federal agencies running on-premises Exchange Server 2019 or Exchange Server 2016. Agencies must either apply Microsoft's patch or disconnect vulnerable servers from the network.

The directive also requires agencies to hunt for indicators of compromise and report any evidence of exploitation to CISA within 72 hours.

Microsoft recommends that organizations unable to immediately patch should disable Outlook Web Access (OWA) as a temporary mitigation, though this will impact user access to webmail functionality.