ACCORDING to Microsoft, a newly disclosed zero-day vulnerability in Exchange Server, tracked as CVE-2026-42897, has been exploited in attacks and is described as a spoofing and cross-site scripting issue affecting Exchange Server Subscription Edition, 2016, and 2019.
Microsoft says the flaw allows an unauthorized attacker to perform spoofing over a network by exploiting improper input neutralisation during web page generation, with exploitation possible when a targeted user opens a specially crafted email in Outlook Web Access under certain conditions. The vulnerability can be triggered via Exchange Outlook Web Access, enabling arbitrary JavaScript to run in the browser context.
Mitigations have been shared to cover the period before a permanent patch is released, and SecurityWeek notes that Microsoft has not publicised attack details beyond the advisory. The zero-day was disclosed just 48 hours after Microsoft patched 137 vulnerabilities in its May Patch Tuesday updates, and CVE-2026-42897 has not yet been added to CISA’s KEV list.