MICROSOFT released Patch Tuesday updates that address an actively exploited vulnerability in Exchange Server, tracked as CVE-2026-42897. This vulnerability is a spoofing and XSS flaw affecting Exchange Server Subscription Edition and versions 2016 and 2019. CISA added it to its Known Exploited Vulnerabilities catalog, mandating action by federal agencies. The vulnerability could allow attackers to execute arbitrary JavaScript via specially crafted emails.
Microsoft released patches on June 9 and advised immediate installation. Exploitation of Exchange vulnerabilities has decreased, with only one new entry in 2026 thus far.