Emerging ThreatsMalware & Ransomware

Microsoft Fixes Zero-Day Flaw in Exchange Server Exploited in Attacks

Analyst 207||Source: BleepingComputer
Office setting with laptop showing blurred email inbox on screen.

CVE-2026-42897 is a high-severity cross-site scripting flaw in Microsoft Exchange Server that was actively exploited in the wild and — Microsoft says — can let an attacker execute arbitrary JavaScript when an Outlook Web Access user opens a specially crafted message.

How the vulnerability works and which servers are affected

According to Microsoft’s Exchange Team, CVE-2026-42897 is a spoofing vulnerability that enables remote attackers with no privileges to execute arbitrary JavaScript in a victim’s browser. "An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context," the Exchange Team said when Microsoft first rolled out an automatic temporary mitigation.

Microsoft identifies the affected products as Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE). The attack path depends on Outlook Web Access (OWA) clients opening the crafted email and meeting the unspecified interaction conditions that trigger the script execution.

Microsoft’s mitigation and the June 2026 security update

In mid-May Microsoft deployed an automatic temporary mitigation using the Exchange Emergency Mitigation Service (EEMS). Yesterday Microsoft released security updates intended to fully address the flaw and urged administrators to deploy them "as soon as possible."

In an update to its original advisory Microsoft advised administrators to keep the temporary mitigations enabled even after applying the fixes, saying: "Microsoft recommends installing the June 2026 Security Updates for your version of Exchange Server as soon as possible to be protected from this vulnerability." Microsoft added that it is continuing to "enhance protections for cross-site scripting attacks" and that the mitigation "provides an additional layer of defense and helps ensure continuous protection as further improvements are released."

CISA’s directive and past Exchange-focused actions

The Cybersecurity and Infrastructure Security Agency placed CVE-2026-42897 on its list of security flaws "exploited in the wild" on May 15 and ordered U.S. government agencies to patch their servers within two weeks, setting a remediation deadline of May 29.

CISA’s move sits alongside a broader record: over the past five years the agency has added 20 Microsoft Exchange Server vulnerabilities to its exploited-in-the-wild list, and ransomware gangs have been credited with exploiting 14 of those 20 vulnerabilities. In October, weeks after Exchange 2016 and 2019 reached end of support, CISA and the National Security Agency released guidance aimed at hardening Exchange servers against attacks.

What this means for security teams, policymakers, and affected enterprises

  • Security teams and technologists: Deploy the June 2026 Security Updates for your Exchange version "as soon as possible" and leave the EEMS mitigation in place for an extra layer of defense, per Microsoft’s recommendation. The vulnerability’s exploitability by remote, non-privileged attackers and its trigger via Outlook Web Access increase the urgency for OWA-facing deployments.
  • Policymakers and government IT leaders: CISA’s May 15 listing and its two‑week patch directive signal continued expectation of rapid remediation for government-owned Exchange servers. The agency’s historical tally of Exchange flaws and the October hardening guidance from CISA and the NSA frame this as part of an ongoing, institution-level effort.
  • Affected enterprises and procurement owners: Confirm which Exchange editions are in use—Exchange Server 2016, 2019, or Subscription Edition—and prioritize installation of the June 2026 updates while keeping EEMS mitigations active. Enterprises still operating out-of-support versions should note CISA and NSA hardening guidance referenced after end of support for 2016 and 2019.

Open items and immediate operational notes

BleepingComputer reported that it "has yet to receive a response from Microsoft to questions about the attacks exploiting CVE-2026-42897," leaving some specifics about the scope and observed exploitation unconfirmed in public reporting. Microsoft’s advisory stresses continued mitigation while it rolls out further improvements for cross-site scripting protections.

The combination of a remotely exploitable XSS that requires only an OWA user to open a crafted email, a CISA directive with a two‑week deadline, and Microsoft’s dual approach of automatic temporary mitigation plus a formal security update frames this as a vulnerability administrators should treat with high priority until mitigations and updates are fully applied across exposed servers.

Original reporting: BleepingComputer — Microsoft patches Exchange Server zero-day exploited in attacks

Emerging ThreatsMicrosoftZero-DaySpoofing VulnerabilityExchange ServerCross-Site ScriptingCVE-2026-42897Outlook Web Access
Related Intelligence

Continue Reading

Person holding smartphone stands before secure door with keycard reader and biometric scanner.

Credential Theft Spurs Demand for Secure Identity Verification

Credential theft skyrocketed 160% in 2025, fueling a critical need for secure identity verification solutions that can outsmart AI-driven attacks. To stay ahead, robust multi-factor authentication is a must-have, combining unique factors like something you know, have, and are to fortify defenses.

Analyst 207
Modern network hub with sleek architecture symbolizing tech and security intersection.

AI-Fueled Attacks Prompt Enterprises to Overhaul Security Architecture

Enterprises in APAC are scrambling to revamp their security architecture as AI-fueled attacks exploit new vulnerabilities at lightning-fast speed, making rapid containment more crucial than ever. Automation is now a vital defense against these accelerated threats.

Analyst 207
Modern office workstation with laptop and computer setup amidst blurred server room equipment.

ServiceNow Warns of Flaw Exploited for Unauthorized Access

ServiceNow has issued a security update to fix a flaw that could allow unauthorized users to gain excessive access to customer instances, and the company is urging users to take action to protect their systems. The update was applied to hosted customer instances on June 5, 2026.

Analyst 207
Windows laptop on a plain surface with a blank system interface on screen, nearby USB drive and scattered notes.

Microsoft Defender Zero-Day Exploited for SYSTEM Access

A security researcher, known as Chaotic Eclipse, has discovered a Microsoft Defender zero-day exploit, dubbed RoguePlanet, that can give attackers unrestricted access to compromised machines. The proof-of-concept exploit, released under the handle MSNightmare, can yield a shell with SYSTEM-level privileges, allowing hackers to run arbitrary code and perform unauthorized actions.

Analyst 207