Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild

Microsoft warns of a new Exchange Server zero-day vulnerability actively exploited in the wild, putting organizations using Exchange Server at immediate risk. The flaw, tracked as CVE-2026-42897, enables attackers to perform spoofing and cross-site scripting (XSS) attacks via Outlook Web Access (OWA). This vulnerability demands urgent attention because it allows arbitrary JavaScript execution in a user’s browser, potentially leading to unauthorized access and further compromise of sensitive email environments.

What Happened

On May 14, Microsoft disclosed a zero-day vulnerability affecting multiple versions of Exchange Server, including Subscription Edition, 2016, and 2019. This vulnerability was not included in the recent Patch Tuesday updates, which addressed 137 other security flaws but no zero-days. The security community was caught off guard by the timing and seriousness of this newly revealed flaw.

The vulnerability arises from improper neutralization of input during web page generation in Exchange Server, specifically targeting the Outlook Web Access interface. Attackers exploit it by sending specially crafted emails to users. If the targeted user opens the malicious email within OWA and interacts under certain conditions, the attacker’s arbitrary JavaScript code executes in the browser’s context, which can hijack user sessions or steal sensitive data.

Microsoft has acknowledged the exploit but has not disclosed details regarding the scale or specific incidents of attacks leveraging this zero-day. An anonymous security researcher reported the flaw, prompting Microsoft to issue a warning and mitigation guidance while working on a permanent patch.

The Microsoft Warns of Exchange Server Zero-Day Vulnerability Explained

The zero-day flaw CVE-2026-42897 involves cross-site scripting combined with spoofing capabilities. Cross-site scripting occurs when an application does not properly sanitize user input, allowing malicious scripts to run in the context of a trusted website. In this case, the vulnerability lies in how Exchange Server generates web pages for OWA, failing to neutralize inputs correctly.

Attackers who successfully exploit this vulnerability can craft emails that appear legitimate but contain hidden scripts. When these emails are viewed in Outlook Web Access, the embedded JavaScript executes without the user’s knowledge. This could allow attackers to impersonate users, manipulate email content, or steal authentication tokens, effectively bypassing normal security controls.

This type of attack is particularly dangerous because it requires no additional user action beyond opening an email in a webmail client, a routine task for many professionals. The ability to execute code within the browser context increases the risk of lateral movement within the network and data exfiltration.

Who Is at Risk

Organizations running Exchange Server Subscription Edition, 2016, or 2019 are directly vulnerable. The flaw specifically targets Outlook Web Access users, which means anyone accessing their email through the web interface rather than a desktop client could be exposed.

Given Exchange Server’s widespread use in enterprises, educational institutions, and government agencies, the potential victim pool spans multiple industries and regions. Since CVE-2026-42897 has not yet been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog, many organizations may remain unaware of the severity and immediacy of the threat.

Attackers often target Exchange Server vulnerabilities due to the critical role email plays in business operations. Compromising email can provide access to sensitive communications, credentials, and internal networks. The fact that this zero-day is already exploited in the wild increases the urgency for all Exchange Server administrators to act immediately.

What To Do Now

Microsoft has not released a permanent patch for CVE-2026-42897 yet but has provided temporary mitigation steps that administrators must apply without delay. The company recommends enabling Exchange Enhanced Mitigation System (EEMS), which adds security protections against spoofing and scripting attacks.

Additional mitigation includes configuring email filters to block or quarantine suspicious messages and educating users about the risks of interacting with unexpected emails in Outlook Web Access. Network segmentation and enhanced monitoring for unusual OWA activity can also help detect early signs of exploitation.

Administrators should monitor Microsoft’s official guidance page for updates and patch releases. Applying patches as soon as they become available is critical to preventing further exploitation. Security teams should also review their incident detection and response plans, focusing on detecting suspicious webmail behaviors and potential lateral movement within networks.

Background On Exchange Server Vulnerabilities

Microsoft Exchange Server has been a frequent target of cyberattacks due to its critical role in enterprise communication. Past vulnerabilities, including ProxyLogon and ProxyShell, have led to widespread breaches and ransomware attacks. The cybersecurity community remains vigilant for new Exchange vulnerabilities because attackers continuously develop sophisticated exploits targeting its web components.

The CISA KEV catalog lists nearly two dozen Exchange Server flaws that have been actively exploited over recent years. Despite this, many organizations delay patching due to operational concerns, increasing their exposure. The emergence of CVE-2026-42897 highlights the need for proactive patch management and real-time threat monitoring around Exchange Server deployments.

As Microsoft develops a permanent fix, organizations must act swiftly to implement recommended mitigations and prepare for patch deployment. Exchange Server zero-day vulnerabilities present a high risk of data breaches, financial loss, and reputational damage. Prioritizing security updates and educating users on safe email practices remain key defenses.