Critical CVE-2026-42897: Microsoft Exchange Server Zero-Day Under Active Exploitation
- May 15
- 2 min read
Key Findings
Microsoft Exchange Server vulnerability CVE-2026-42897 is actively being exploited in the wild
Cross-site scripting flaw with CVSS score of 8.1 enables spoofing and arbitrary JavaScript execution
Vulnerability affects on-premises Exchange Server 2016, 2019, and Subscription Edition at any update level
Exchange Online is not impacted
Temporary mitigation available through Exchange Emergency Mitigation Service; permanent patch in development
Attackers deliver exploit via crafted emails opened in Outlook Web Access under certain conditions
Background
Microsoft disclosed CVE-2026-42897 following active exploitation detected in the wild. An anonymous researcher discovered and reported the vulnerability. The flaw stems from improper input neutralization during web page generation, creating a cross-site scripting vulnerability in Microsoft Exchange Server. While Microsoft released its May 2026 Patch Tuesday updates just two days prior, this zero-day was not included and remains unpatched by standard security updates.
Vulnerability Details
The vulnerability allows an unauthorized attacker to perform spoofing over a network by sending a specially crafted email to a user. When the email is opened in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript code executes in the context of the user's web browser. This creates a direct path for attackers to manipulate content, steal credentials, or perform other malicious actions within the user's authenticated Exchange session.
Affected Systems
On-premises versions of Microsoft Exchange Server are vulnerable, specifically Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition at any update level. Exchange Online deployments remain unaffected by this vulnerability.
Temporary Mitigation
Microsoft is providing immediate relief through the Exchange Emergency Mitigation Service, which deploys a URL rewrite configuration automatically and is enabled by default. For air-gapped environments where this service cannot be used, administrators should download the latest Exchange on-premises Mitigation Tool from aka.ms/UnifiedEOMT and apply it via elevated Exchange Management Shell commands on affected servers. Microsoft noted a known cosmetic issue where the mitigation may display as invalid for certain Exchange versions, but this does not prevent successful application when status shows as Applied.
Risk Context
Exchange Server zero-days pose exceptional risk because email systems sit at the center of corporate operations. Compromised Exchange servers provide attackers direct access to internal communications, credentials, and business workflows. Internet-facing on-premises deployments remain particularly vulnerable until patches deploy. Threat actors frequently target Exchange vulnerabilities in cyber espionage and ransomware campaigns due to the high-value access they provide with minimal detection risk.
Current Status
No details have been disclosed regarding specific threat actors involved, the scale of exploitation efforts, intended targets, or whether attacks have achieved successful compromise. Microsoft is developing a permanent security fix but has not announced a release timeline.
Sources
https://thehackernews.com/2026/05/on-prem-microsoft-exchange-server-cve.html
https://securityaffairs.com/192204/security/cve-2026-42897-microsoft-confirms-active-exploitation-of-exchange-server-zero-day.html
https://x.com/TheHackersNews/status/2055171340936900690
https://securityonline.info/outlook-web-access-vulnerability-cve-2026-42897-exploited/
https://x.com/TheCyberSecHub/status/2055180440638832833

Comments