ZDI 2026-03-16

ZDI-26-194: Microsoft Exchange InterceptorSmtpAgent Improper Input Validation Security Feature Bypass Vulnerability

CVE-2026-21527

Machine-generated analysis · WAYSCloud LLM

The vulnerability affects Microsoft Exchange's InterceptorSmtpAgent and stems from improper input validation, enabling remote security feature bypass without authentication.

Context

The affected component is the InterceptorSmtpAgent in Microsoft Exchange. The vulnerability is an improper input validation that allows remote attackers to bypass a security feature. Authentication is not required to exploit this issue. The CVSS score is rated at 5.3, indicating a medium severity impact based on the stated exploitability and vector.

Operator considerations

Check: Identify Microsoft Exchange servers running the InterceptorSmtpAgent component.

From Zero Day Initiative ↗

This vulnerability allows remote attackers to bypass a security feature on affected installations of Microsoft Exchange. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.3. The following CVEs are assigned: CVE-2026-21527.

Read the full advisory on ZDI →