top of page

Critical CVE-2026-42897: Microsoft Exchange Server Zero-Day Under Active Exploitation

  • May 15
  • 2 min read

Key Findings


  • Microsoft Exchange Server vulnerability CVE-2026-42897 is actively being exploited in the wild

  • Cross-site scripting flaw with CVSS score of 8.1 enables spoofing and arbitrary JavaScript execution

  • Vulnerability affects on-premises Exchange Server 2016, 2019, and Subscription Edition at any update level

  • Exchange Online is not impacted

  • Temporary mitigation available through Exchange Emergency Mitigation Service; permanent patch in development

  • Attackers deliver exploit via crafted emails opened in Outlook Web Access under certain conditions


Background


Microsoft disclosed CVE-2026-42897 following active exploitation detected in the wild. An anonymous researcher discovered and reported the vulnerability. The flaw stems from improper input neutralization during web page generation, creating a cross-site scripting vulnerability in Microsoft Exchange Server. While Microsoft released its May 2026 Patch Tuesday updates just two days prior, this zero-day was not included and remains unpatched by standard security updates.


Vulnerability Details


The vulnerability allows an unauthorized attacker to perform spoofing over a network by sending a specially crafted email to a user. When the email is opened in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript code executes in the context of the user's web browser. This creates a direct path for attackers to manipulate content, steal credentials, or perform other malicious actions within the user's authenticated Exchange session.


Affected Systems


On-premises versions of Microsoft Exchange Server are vulnerable, specifically Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition at any update level. Exchange Online deployments remain unaffected by this vulnerability.


Temporary Mitigation


Microsoft is providing immediate relief through the Exchange Emergency Mitigation Service, which deploys a URL rewrite configuration automatically and is enabled by default. For air-gapped environments where this service cannot be used, administrators should download the latest Exchange on-premises Mitigation Tool from aka.ms/UnifiedEOMT and apply it via elevated Exchange Management Shell commands on affected servers. Microsoft noted a known cosmetic issue where the mitigation may display as invalid for certain Exchange versions, but this does not prevent successful application when status shows as Applied.


Risk Context


Exchange Server zero-days pose exceptional risk because email systems sit at the center of corporate operations. Compromised Exchange servers provide attackers direct access to internal communications, credentials, and business workflows. Internet-facing on-premises deployments remain particularly vulnerable until patches deploy. Threat actors frequently target Exchange vulnerabilities in cyber espionage and ransomware campaigns due to the high-value access they provide with minimal detection risk.


Current Status


No details have been disclosed regarding specific threat actors involved, the scale of exploitation efforts, intended targets, or whether attacks have achieved successful compromise. Microsoft is developing a permanent security fix but has not announced a release timeline.


Sources


  • https://thehackernews.com/2026/05/on-prem-microsoft-exchange-server-cve.html

  • https://securityaffairs.com/192204/security/cve-2026-42897-microsoft-confirms-active-exploitation-of-exchange-server-zero-day.html

  • https://x.com/TheHackersNews/status/2055171340936900690

  • https://securityonline.info/outlook-web-access-vulnerability-cve-2026-42897-exploited/

  • https://x.com/TheCyberSecHub/status/2055180440638832833

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page