Microsoft Exchange Zero-Day Exploited in the Wild; CISA Issues Urgent Warning
Microsoft has confirmed that a zero-day cross-site scripting vulnerability in on-premises Exchange Server is being actively exploited in the wild, prompting an immediate addition to CISA's Known Exploited Vulnerabilities catalog.
Microsoft has issued an urgent warning regarding a zero-day vulnerability in its on-premises Exchange Server software that is currently being exploited in the wild. Tracked as CVE-2026-42897, the flaw is a cross-site scripting (XSS) and spoofing issue that affects Outlook Web Access (OWA) SecurityWeek. While a permanent security update is currently in development, the company has provided immediate mitigation steps for affected organizations Help Net Security.
The vulnerability resides in the way Exchange Server handles input during web page generation. By sending a specially crafted email to a targeted user, an unauthorized attacker can trigger the execution of arbitrary JavaScript within the victim's browser context, provided specific interaction conditions are met BleepingComputer. This allows the attacker to perform spoofing over a network SecurityWeek. Microsoft has not yet disclosed specific details regarding the nature of the in-the-wild attacks or the exact interaction conditions required for successful exploitation Help Net Security.
The flaw impacts several on-premises versions of the software, specifically Exchange Server Subscription Edition (SE) RTM, Exchange Server 2019, and Exchange Server 2016 Help Net Security. Exchange Online is not affected by this vulnerability Help Net Security. Microsoft has confirmed that future patches will be released for Exchange SE RTM, Exchange 2016 CU23, and Exchange Server 2019 CU14 and CU15. Notably, the company specified that updates for Exchange 2016 and 2019 will be restricted to customers enrolled in the Period 2 Exchange Server Extended Security Update (ESU) program BleepingComputer.
To protect against active exploitation, Microsoft recommends that administrators rely on the Exchange Emergency Mitigation Service (EEMS), which is enabled by default on servers with the Mailbox role and provides automatic protection BleepingComputer. For air-gapped environments or servers where EEMS is disabled, administrators can manually apply mitigations using the Exchange on-premises Mitigation Tool (EOMT) script BleepingComputer. Microsoft warns that applying these interim mitigations may cause functional side effects, such as issues with OWA Print Calendar functionality and the display of inline images in the OWA reading pane BleepingComputer.
Following the disclosure, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation CISA. CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies remediate the flaw by the established deadline to mitigate risks to federal networks CISA.
The discovery of this zero-day highlights the persistent risk posed by Exchange Server vulnerabilities, which remain a frequent target for malicious actors CISA. Over the past five years, CISA has added nearly two dozen Exchange-related flaws to its KEV catalog, many of which have been leveraged in ransomware campaigns BleepingComputer. Organizations are encouraged to maintain updated software and prioritize the deployment of available mitigations as part of their broader vulnerability management strategies CISA.
The article from Dark Reading provides additional details on the active exploitation of CVE-2026-42897, a cross-site scripting vulnerability in Microsoft Exchange's Outlook Web Access (OWA). It emphasizes that no patch is currently available, leaving organizations exposed to ongoing attacks that can compromise user accounts.