Microsoft Warns of Actively Exploited Exchange Server Vulnerability (CVE-2026-42897)
Microsoft has issued an urgent security alert for a critical spoofing vulnerability in on-premises Exchange Server, tracked as CVE-2026-42897, which is already being exploited in the wild. With a CVSS score of 8.1, the flaw affects Exchange Server 2016, 2019, and the Subscription Edition, allowing threat actors to execute arbitrary JavaScript in a user’s browser via a malicious email.
The vulnerability stems from improper input neutralization in Outlook Web Access (OWA), enabling attackers to conduct cross-site scripting (XSS) attacks without requiring administrative privileges. When a targeted user opens a crafted email in OWA, the payload triggers, potentially leading to session hijacking or browser data manipulation.
Microsoft has released a temporary mitigation (M2.1.x) through the Exchange Emergency Mitigation Service, which is automatically applied for organizations with the service enabled. Those in air-gapped environments must manually deploy the Exchange on-premises Mitigation Tool. While the fix may disrupt Outlook Web Access Print Calendar functionality and inline image rendering, security experts recommend keeping it active until a permanent patch is released.
A final security update is in development, with the Exchange Server Subscription Edition expected to receive it first. Older versions (2016 and 2019) will only receive patches if enrolled in the Extended Security Update program, prompting organizations to upgrade outdated deployments. Cloud-based Exchange Online users remain unaffected.
Source: https://cybersecuritynews.com/microsoft-exchange-server-vulnerability-exploited/
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-security-response-center
"id": "mic1778833438",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology/IT Services',
'location': 'Global',
'name': 'Microsoft Exchange Server Users',
'type': 'Software/Service Provider'}],
'attack_vector': 'Malicious Email (Outlook Web Access - OWA)',
'customer_advisories': 'Cloud-based Exchange Online users remain unaffected; '
'on-premises users advised to apply mitigations',
'data_breach': {'sensitivity_of_data': 'Browser data (potential session '
'hijacking)'},
'description': 'Microsoft has issued an urgent security alert for a critical '
'spoofing vulnerability in on-premises Exchange Server, '
'tracked as CVE-2026-42897, which is already being exploited '
'in the wild. The flaw affects Exchange Server 2016, 2019, and '
'the Subscription Edition, allowing threat actors to execute '
'arbitrary JavaScript in a user’s browser via a malicious '
'email. The vulnerability stems from improper input '
'neutralization in Outlook Web Access (OWA), enabling '
'cross-site scripting (XSS) attacks without requiring '
'administrative privileges. When a targeted user opens a '
'crafted email in OWA, the payload triggers, potentially '
'leading to session hijacking or browser data manipulation.',
'impact': {'identity_theft_risk': 'Session hijacking risk',
'operational_impact': 'Disruption of Outlook Web Access Print '
'Calendar functionality and inline image '
'rendering',
'systems_affected': 'Exchange Server 2016, 2019, Subscription '
'Edition'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': 'Development of permanent '
'patch; temporary mitigation '
'deployment',
'root_causes': 'Improper input neutralization in '
'Outlook Web Access (OWA)'},
'recommendations': 'Apply temporary mitigation (M2.1.x) immediately; upgrade '
'to Exchange Server Subscription Edition for permanent '
'patch; enroll older versions in Extended Security Update '
'program if applicable; avoid opening suspicious emails in '
'OWA',
'references': [{'source': 'Microsoft Security Alert'}],
'response': {'communication_strategy': 'Urgent security alert issued by '
'Microsoft',
'containment_measures': 'Temporary mitigation (M2.1.x) via '
'Exchange Emergency Mitigation Service; '
'manual deployment of Exchange '
'on-premises Mitigation Tool for '
'air-gapped environments',
'remediation_measures': 'Final security update in development; '
'Exchange Server Subscription Edition to '
'receive patch first; older versions '
'(2016, 2019) require Extended Security '
'Update program enrollment'},
'title': 'Microsoft Warns of Actively Exploited Exchange Server Vulnerability '
'(CVE-2026-42897)',
'type': 'Spoofing Vulnerability',
'vulnerability_exploited': 'CVE-2026-42897'}