Microsoft Exchange Security Feature Bypass Vulnerability (CVE-2026-21527) Patched
Microsoft has released a patch for CVE-2026-21527, a security feature bypass vulnerability in Exchange's InterceptorSmtpAgent that allows remote unauthenticated attackers to bypass a security feature via improper SMTP header parsing.
Microsoft has issued a security update to address CVE-2026-21527, a vulnerability in Microsoft Exchange that allows remote unauthenticated attackers to bypass a security feature. The flaw, reported by Vladislav Berghici of Trend Research through the Zero Day Initiative (ZDI-26-194), resides in the InterceptorSmtpAgent class and stems from improper parsing of SMTP headers. With a CVSS score of 5.3, the vulnerability is rated medium severity but could enable attackers to circumvent protections designed to block malicious emails.
The vulnerability specifically affects the InterceptorSmtpAgent, a component used in Exchange transport pipelines to inspect and filter SMTP traffic. By exploiting the improper header parsing, an attacker can craft messages that evade security checks, potentially allowing phishing or malware-laden emails to reach user inboxes. Microsoft has not reported active exploitation in the wild, but the advisory notes that authentication is not required to exploit the flaw, making it accessible to any remote attacker.
Microsoft has released an update to correct the vulnerability, available through the Microsoft Security Response Center (MSRC) update guide. The disclosure timeline shows the vulnerability was reported to Microsoft on November 14, 2025, with coordinated public release on March 16, 2026. Organizations running Microsoft Exchange are urged to apply the patch promptly to mitigate the risk of security feature bypass.
This vulnerability adds to a growing list of Exchange flaws that have been targeted by threat actors in recent years. While the CVSS score is relatively low, the ability to bypass security features without authentication makes it a concern for defenders who rely on Exchange's built-in protections. The patch is included in the March 2026 security update rollup for Exchange Server.
Administrators should prioritize testing and deploying the update, especially in environments where Exchange is exposed to the internet. As with all security patches, timely application is critical to maintaining a strong security posture against evolving threats.