Microsoft Patches Exchange Server Zero-Day Used in Active Attacks
Key Takeaways
- CVE-2026-42897 allows remote attackers to execute JavaScript in OWA with zero privileges required
- CISA added the flaw to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by May 29
- Microsoft recommends keeping emergency mitigations in place even after installing the June 2026 security update
The Vulnerability Explained
Microsoft has patched CVE-2026-42897, a high-severity spoofing vulnerability in Exchange Server that attackers were actively exploiting before the fix arrived. The flaw enables cross-site scripting attacks against users of Outlook Web Access.
The vulnerability affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition. Remote attackers can exploit it without any privileges.
“An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.”
— Microsoft Exchange Team
The attack chain is straightforward. An attacker sends a malicious email. When the target opens it in OWA and certain conditions are met, JavaScript runs in their browser. That script executes within the user's authenticated session, potentially exposing sensitive data or enabling further compromise.
Timeline of Response
Microsoft first responded in mid-May by pushing temporary mitigations through its Exchange Emergency Mitigation Service. EEMS can automatically apply interim fixes to Exchange servers while permanent patches are in development.
The Cybersecurity and Infrastructure Security Agency moved quickly. On May 15, it added the vulnerability to its catalog of security flaws exploited in the wild. Federal agencies had until May 29 to patch their servers.
Patching Guidance
Microsoft is urging administrators to install the June 2026 security updates immediately. But there's an unusual twist: the company also recommends keeping the temporary mitigations in place.
"We recommend that customers keep the mitigation described in place," Microsoft stated. "The mitigation provides an additional layer of defense and helps ensure continuous protection as further improvements are released."
This belt-and-suspenders approach suggests Microsoft sees value in defense-in-depth here. The mitigations may catch edge cases or attack variants that emerge after the patch.
Exchange Server's Troubled Security History
CVE-2026-42897 joins a long list of Exchange Server vulnerabilities that attackers have exploited in real attacks. Over the past five years, CISA has added 20 Exchange Server flaws to its Known Exploited Vulnerabilities catalog. Ransomware gangs exploited 14 of those 20.
Exchange Server has been a prime target since the ProxyLogon and ProxyShell vulnerabilities in 2021 demonstrated how devastating on-premises email server compromises can be. State-sponsored groups and cybercriminals alike have treated Exchange as a high-value entry point into enterprise networks.
In October 2025, CISA and the National Security Agency released joint guidance on hardening Exchange servers against attacks. That guidance came weeks after Exchange 2016 and 2019 reached end of support.
The ESU Complication
Discussion in cybersecurity communities has highlighted a complication for organizations running older Exchange versions. Exchange Server 2016 and 2019 reached end of support in October 2025. Security patches for these versions now require Extended Security Update subscriptions.
That means organizations still running Exchange 2016 or 2019 without ESU cannot get this patch through normal channels. They either need to purchase ESU coverage, upgrade to Exchange Server SE, or migrate to Exchange Online.
This creates a two-tier security situation where paying customers get protection while others remain exposed. For organizations with tight budgets, this may force difficult decisions about which systems to prioritize.
What Administrators Should Do Now
- Verify your Exchange Server version and ESU coverage status
- Install the June 2026 security updates for your Exchange Server version
- Confirm that EEMS mitigations remain active even after patching
- Review OWA access logs for any signs of exploitation attempts
- Consider whether on-premises Exchange still makes sense for your organization
BleepingComputer reports it has not received a response from Microsoft about specific details of the attacks exploiting this vulnerability. The identity of the threat actors and scale of exploitation remain unknown.
Logicity's Take
Frequently Asked Questions
Which Exchange Server versions are affected by CVE-2026-42897?
Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition are all affected by this vulnerability.
Do I need special privileges to exploit this Exchange vulnerability?
No. Remote attackers can exploit CVE-2026-42897 with zero privileges. They only need to send a specially crafted email that the target opens in Outlook Web Access.
Should I remove the EEMS mitigations after installing the patch?
No. Microsoft explicitly recommends keeping the mitigations in place even after patching for additional defense-in-depth protection.
Can I get this patch if I'm running Exchange 2016 or 2019 without ESU?
No. Since these versions reached end of support in October 2025, security updates require an Extended Security Update subscription.
What is the CVSS score for CVE-2026-42897?
The vulnerability has a CVSS base score of 8.1, classifying it as high severity.
Need Help Implementing This?
Source: BleepingComputer
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
Claude Fable 5 Launches: High Performance, Higher Price
Anthropic's Claude Fable 5 debuts with praise for its extended reasoning and agentic capabilities, but early users are pushing back on pricing and a controversial silent safety fallback mechanism. The model can handle massive codebases in hours, but at $10/$50 per million tokens, it's firmly positioned as a premium enterprise tool.
Wear OS 7 Rollout Imminent, Verizon Support Pages Reveal
Verizon accidentally published support pages for Wear OS 7 on Pixel Watch 2, 3, and 4, revealing the update's build number and feature set. The leak confirms widgets, Gemini Intelligence, and battery improvements are coming soon, though Google has yet to announce an official release date.
Hubble Captures Hypnotic Spiral Galaxy M88 in New Image
NASA's Hubble Space Telescope has released a stunning new image of Messier 88, an active spiral galaxy located 63 million light-years away. The galaxy, a prominent member of the Virgo Cluster, is being studied to understand how spiral galaxies evolve in dense galactic environments.