// #exchange
8 articles
HTTP.sys CVE-2026-47291: Quantifying Wormable Risk Across the Windows Server Estate
Three days after the June Patch Tuesday, CVE-2026-47291 in HTTP.sys remains unpatched on a significant proportion of enterprise Windows Server infrastructure. This article maps the attack surface — which services expose HTTP.sys, how the worm propagation would function, and what network controls reduce the blast radius while patching is in progress.
Exchange CVE-2026-42897 One Week On: Active Exploitation Continues, No Patch Available — Updated Guidance
Microsoft Exchange Server's OWA session hijacking zero-day CVE-2026-42897 entered its second week without a permanent patch. Microsoft's Emergency Mitigation Service (EEMS) rule remains the only automated protection for Exchange Online-connected on-premises environments. Security teams should now focus on identifying whether exploitation occurred during the disclosure week and verifying their mitigation status.
Pwn2Own Week Exposes the Limits of Identity as a Security Control — What IAM Teams Should Review
The week of 12–18 May 2026 produced two distinct scenarios where identity controls — Conditional Access, MFA, and Zero Trust enforcement — provided no meaningful protection: Exchange Server-side RCE (operating below the authentication layer) and Exchange OWA session hijacking (stealing tokens after authentication). Both are active or imminent threats. Both require defences that go beyond the identity layer.
Why Exchange SYSTEM RCE Bypasses Conditional Access and MFA: The Authentication Architecture Problem
The Exchange SYSTEM RCE chain demonstrated by DEVCORE at Pwn2Own Berlin 2026 achieves code execution at the operating system level, bypassing all identity controls including Conditional Access policies, MFA requirements, and Azure AD authentication entirely. Understanding why server-side RCE renders identity controls irrelevant is essential for accurate risk assessment.
Exchange CVE-2026-42897 Threat Hunting Guide: Identifying Session Hijacking in OWA Logs
With no patch available for the actively exploited Exchange OWA session hijacking zero-day, security teams must hunt for existing compromise rather than waiting for a fix. This guide covers the specific log sources, KQL queries, and behavioural indicators that reveal CVE-2026-42897 exploitation in on-premises Exchange and Microsoft 365 hybrid environments.
Pwn2Own Berlin 2026 Day 2: DEVCORE Chains Three Bugs for Exchange SYSTEM RCE — 15 Zero-Days and $385K Awarded
The second day of Pwn2Own Berlin saw DEVCORE's Orange Tsai chain three previously unknown vulnerabilities to achieve SYSTEM-level remote code execution on fully patched Microsoft Exchange Server, earning $200,000. Day 2 also featured Red Hat Enterprise Linux LPE, additional Windows 11 privilege escalation, and LM Studio AI exploitation across 15 unique zero-days.
Microsoft Exchange Server Zero-Day CVE-2026-42897 Actively Exploited in XSS Attacks — OOB Mitigation Available, No Patch Yet
Microsoft disclosed an actively exploited cross-site scripting zero-day in Exchange Server (CVE-2026-42897) that allows attackers to inject malicious scripts into Outlook Web App sessions, hijack authenticated user sessions, and exfiltrate email content. No patch is available. Microsoft deployed an Emergency Exchange Mitigation Service (EEMS) rule as an interim control while a patch is developed.
CISA Adds Seven CVEs to KEV Including Decade-Old Microsoft Bugs Exploited by Storm-1175
CISA has added seven vulnerabilities to the Known Exploited Vulnerabilities catalogue, including four Microsoft flaws spanning from 2012 to 2025 being actively leveraged by the Storm-1175 ransomware group. The additions highlight a persistent patching blind spot: vulnerabilities patched years ago that never made it into legacy system maintenance cycles, now routinely weaponised for initial access and privilege escalation.