Microsoft Patches Exchange Server Zero-Day Used in Active Attacks

Key Takeaways

• CVE-2026-42897 allows remote attackers to execute JavaScript in OWA with zero privileges required
• CISA added the flaw to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by May 29
• Microsoft recommends keeping emergency mitigations in place even after installing the June 2026 security update

The Vulnerability Explained

Microsoft has patched CVE-2026-42897, a high-severity spoofing vulnerability in Exchange Server that attackers were actively exploiting before the fix arrived. The flaw enables cross-site scripting attacks against users of Outlook Web Access.

The vulnerability affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition. Remote attackers can exploit it without any privileges.

“An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.”

— Microsoft Exchange Team

The attack chain is straightforward. An attacker sends a malicious email. When the target opens it in OWA and certain conditions are met, JavaScript runs in their browser. That script executes within the user's authenticated session, potentially exposing sensitive data or enabling further compromise.

Timeline of Response

Microsoft first responded in mid-May by pushing temporary mitigations through its Exchange Emergency Mitigation Service. EEMS can automatically apply interim fixes to Exchange servers while permanent patches are in development.

The Cybersecurity and Infrastructure Security Agency moved quickly. On May 15, it added the vulnerability to its catalog of security flaws exploited in the wild. Federal agencies had until May 29 to patch their servers.

Patching Guidance

Microsoft is urging administrators to install the June 2026 security updates immediately. But there's an unusual twist: the company also recommends keeping the temporary mitigations in place.

"We recommend that customers keep the mitigation described in place," Microsoft stated. "The mitigation provides an additional layer of defense and helps ensure continuous protection as further improvements are released."

This belt-and-suspenders approach suggests Microsoft sees value in defense-in-depth here. The mitigations may catch edge cases or attack variants that emerge after the patch.

Exchange Server's Troubled Security History

CVE-2026-42897 joins a long list of Exchange Server vulnerabilities that attackers have exploited in real attacks. Over the past five years, CISA has added 20 Exchange Server flaws to its Known Exploited Vulnerabilities catalog. Ransomware gangs exploited 14 of those 20.

Exchange Server has been a prime target since the ProxyLogon and ProxyShell vulnerabilities in 2021 demonstrated how devastating on-premises email server compromises can be. State-sponsored groups and cybercriminals alike have treated Exchange as a high-value entry point into enterprise networks.

In October 2025, CISA and the National Security Agency released joint guidance on hardening Exchange servers against attacks. That guidance came weeks after Exchange 2016 and 2019 reached end of support.

The ESU Complication

Discussion in cybersecurity communities has highlighted a complication for organizations running older Exchange versions. Exchange Server 2016 and 2019 reached end of support in October 2025. Security patches for these versions now require Extended Security Update subscriptions.

That means organizations still running Exchange 2016 or 2019 without ESU cannot get this patch through normal channels. They either need to purchase ESU coverage, upgrade to Exchange Server SE, or migrate to Exchange Online.

This creates a two-tier security situation where paying customers get protection while others remain exposed. For organizations with tight budgets, this may force difficult decisions about which systems to prioritize.

What Administrators Should Do Now

1. Verify your Exchange Server version and ESU coverage status
2. Install the June 2026 security updates for your Exchange Server version
3. Confirm that EEMS mitigations remain active even after patching
4. Review OWA access logs for any signs of exploitation attempts
5. Consider whether on-premises Exchange still makes sense for your organization

BleepingComputer reports it has not received a response from Microsoft about specific details of the attacks exploiting this vulnerability. The identity of the threat actors and scale of exploitation remain unknown.

Frequently Asked Questions

Which Exchange Server versions are affected by CVE-2026-42897?

Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition are all affected by this vulnerability.

Do I need special privileges to exploit this Exchange vulnerability?

No. Remote attackers can exploit CVE-2026-42897 with zero privileges. They only need to send a specially crafted email that the target opens in Outlook Web Access.

Should I remove the EEMS mitigations after installing the patch?

No. Microsoft explicitly recommends keeping the mitigations in place even after patching for additional defense-in-depth protection.

Can I get this patch if I'm running Exchange 2016 or 2019 without ESU?

No. Since these versions reached end of support in October 2025, security updates require an Extended Security Update subscription.

What is the CVSS score for CVE-2026-42897?

The vulnerability has a CVSS base score of 8.1, classifying it as high severity.

Source: BleepingComputer