Microsoft Patches Actively Exploited Exchange Server Zero-Day
Microsoft has released security updates to fix a critical zero-day vulnerability in Exchange Server that was actively exploited in the wild, allowing attackers to execute arbitrary JavaScript code.
Microsoft has issued urgent security updates to address a zero-day vulnerability affecting its Exchange Server software. The flaw, identified as CVE-2026-42897, was actively exploited by threat actors before a patch was made available, posing a significant risk to organizations running vulnerable versions of the email server.
The vulnerability is classified as a high-severity spoofing issue that allows remote attackers with no prior privileges to execute arbitrary JavaScript code. This is achieved through cross-site scripting (XSS) attacks targeting users of Outlook Web Access (OWA). According to Microsoft's Exchange Team, an attacker could exploit this by sending a specially crafted email. When a user opens this email in OWA, and certain interaction conditions are met, the malicious JavaScript can be executed within the user's browser context.
Microsoft initially deployed temporary mitigations for this vulnerability in mid-May through its Exchange Emergency Mitigation Service (EEMS) while working on a permanent fix. The company has now released the June 2026 Security Updates for Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE), strongly advising administrators to deploy them as soon as possible.
In addition to installing the patches, Microsoft recommends that customers keep the existing mitigations in place. This layered defense strategy provides an additional safeguard and ensures continuous protection while further security enhancements are rolled out. The company has not yet responded to inquiries regarding the specific attacks that exploited CVE-2026-42897.
The Cybersecurity and Infrastructure Security Agency (CISA) has also taken action, adding the vulnerability to its list of actively exploited flaws on May 15. CISA mandated that U.S. federal agencies patch their Exchange servers within two weeks, by May 29, highlighting the urgency of the situation.
This incident is part of a broader trend of vulnerabilities affecting Microsoft Exchange Server. Over the past five years, CISA has added 20 Exchange Server vulnerabilities to its exploited list, with ransomware gangs notably exploiting 14 of them. This persistent targeting underscores the critical importance of maintaining up-to-date security configurations for these widely used email systems.
Furthermore, in October, following the end of support for Exchange 2016 and 2019, CISA and the National Security Agency (NSA) issued guidance on hardening Exchange servers. This advisory aimed to bolster defenses against the ongoing threats targeting the platform, a recommendation that remains highly relevant given the continued exploitation of its vulnerabilities.