Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild
CVE-2026-42897 is a zero-day vulnerability in Microsoft Exchange Server versions including Subscription Edition, 2016, and 2019. It involves improper neutralization of input during web page generation, leading to cross-site scripting (XSS) and spoofing attacks via Outlook Web Access (OWA). An attacker can exploit this by sending a specially crafted email that, when opened in OWA, executes arbitrary JavaScript in the user's browser. Microsoft has acknowledged exploitation in the wild and provided mitigation guidance pending a permanent patch. No official patch has been released yet.
AI Analysis
Technical Summary
CVE-2026-42897 is a zero-day vulnerability affecting Microsoft Exchange Server Subscription Edition, 2016, and 2019. The flaw is an XSS and spoofing issue caused by improper input neutralization during web page generation in Outlook Web Access. Exploitation requires an attacker to send a crafted email that triggers JavaScript execution when opened by the target user in OWA. Microsoft has confirmed exploitation in the wild and shared mitigations but has not yet released a permanent patch. The vulnerability allows unauthorized attackers to perform spoofing over a network by executing arbitrary JavaScript in the browser context of the victim.
Potential Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser when using Outlook Web Access. This can lead to spoofing attacks and potentially other malicious actions within the user's session. The vulnerability affects multiple Exchange Server versions and is actively exploited in the wild, increasing risk to affected organizations until a patch is available.
Mitigation Recommendations
Microsoft has shared mitigation options to reduce risk until a permanent patch is released. Organizations should apply these mitigations immediately as recommended by Microsoft. Since no official patch is currently available, monitoring the vendor advisory for updates is critical. The vendor advisory does not indicate that no action is required or that the issue is already mitigated, so applying the recommended mitigations is advised.
Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild
Description
CVE-2026-42897 is a zero-day vulnerability in Microsoft Exchange Server versions including Subscription Edition, 2016, and 2019. It involves improper neutralization of input during web page generation, leading to cross-site scripting (XSS) and spoofing attacks via Outlook Web Access (OWA). An attacker can exploit this by sending a specially crafted email that, when opened in OWA, executes arbitrary JavaScript in the user's browser. Microsoft has acknowledged exploitation in the wild and provided mitigation guidance pending a permanent patch. No official patch has been released yet.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-42897 is a zero-day vulnerability affecting Microsoft Exchange Server Subscription Edition, 2016, and 2019. The flaw is an XSS and spoofing issue caused by improper input neutralization during web page generation in Outlook Web Access. Exploitation requires an attacker to send a crafted email that triggers JavaScript execution when opened by the target user in OWA. Microsoft has confirmed exploitation in the wild and shared mitigations but has not yet released a permanent patch. The vulnerability allows unauthorized attackers to perform spoofing over a network by executing arbitrary JavaScript in the browser context of the victim.
Potential Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser when using Outlook Web Access. This can lead to spoofing attacks and potentially other malicious actions within the user's session. The vulnerability affects multiple Exchange Server versions and is actively exploited in the wild, increasing risk to affected organizations until a patch is available.
Mitigation Recommendations
Microsoft has shared mitigation options to reduce risk until a permanent patch is released. Organizations should apply these mitigations immediately as recommended by Microsoft. Since no official patch is currently available, monitoring the vendor advisory for updates is critical. The vendor advisory does not indicate that no action is required or that the issue is already mitigated, so applying the recommended mitigations is advised.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/microsoft-warns-of-exchange-server-zero-day-exploited-in-the-wild/","fetched":true,"fetchedAt":"2026-05-15T12:07:47.093Z","wordCount":988}
Threat ID: 6a070c93ec166c07b03e095c
Added to database: 5/15/2026, 12:07:47 PM
Last enriched: 5/15/2026, 12:07:52 PM
Last updated: 5/16/2026, 7:32:14 AM
Views: 35
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.