Microsoft has released security updates to address a critical Exchange Server zero-day vulnerability (CVE-2026-42897). According to reports, attackers actively exploited this flaw in real-world attacks. The issue affects on-premises Exchange Server deployments.
In addition, the vulnerability can allow attackers to execute malicious JavaScript in certain scenarios involving Outlook on the web (OWA). As a result, attackers may target webmail sessions directly.
According to Microsoft, the vulnerability is a cross-site scripting (XSS) issue. Specifically, attackers can trigger spoofing attacks when Exchange processes specially crafted content. Consequently, successful exploitation may lead to session compromise, data theft, or unauthorized actions inside webmail accounts.
The vulnerability impacts the following products:
- Exchange Server 2016
- Exchange Server 2019
- Exchange Server Subscription Edition (SE)
Initially, Microsoft did not provide a full security patch at disclosure time. However, the company deployed mitigations through the Exchange Emergency Mitigation Service (EEMS). In addition, this service can automatically apply protections for supported on-premises environments.
Microsoft strongly urged organizations to apply mitigations immediately. Furthermore, administrators should ensure Exchange servers remain fully updated, since they are frequent targets due to internet exposure.
Security researchers also warn that Exchange vulnerabilities are especially dangerous. For example, these systems often contain sensitive emails, authentication data, and internal business communications. Therefore, attackers actively target them in enterprise environments.
To reduce risk, organizations should:
- Apply Microsoft security updates and mitigations immediately
- Enable and verify Exchange Emergency Mitigation Service (EEMS)
- Restrict unnecessary exposure of Outlook on the web (OWA)
- Monitor logs for suspicious activity
- Follow Microsoft’s security guidance for Exchange deployments
Ultimately, rapid response is critical to reducing exposure from this actively exploited vulnerability.
Key Takeaways
- Microsoft patched an actively exploited Exchange zero-day (CVE-2026-42897)
- Affects Exchange Server 2016, 2019, and Subscription Edition
- Attack vector involves XSS via Outlook on the web
- Microsoft used EEMS as a temporary mitigation
- Organizations should apply patches and monitor Exchange systems
No responses yet