MICROSOFT on Thursday disclosed a zero-day vulnerability in Exchange that is under active exploitation, and four days later customers were still awaiting a patch. The flaw, tracked as CVE-2026-42897, affects Exchange Outlook Web Access and could allow an unauthorized attacker to execute arbitrary JavaScript via a specially crafted email, enabling spoofing over a network.
CVE-2026-42897 affects on‑premise versions of Exchange Server 2016, 2019, and Exchange Server Subscription Edition (SE), with a CVSS score of 8.1 (the NIST NVDB assigns it a medium-severity 6.1). CISA has added the vulnerability to its Known Exploit Vulnerabilities catalog, highlighting potential mailbox and session token access, and unauthorised mailbox changes.
Microsoft described two mitigations: enabling the Exchange Emergency Mitigation Service, and using an updated Exchange On-premises Mitigation Tool, while a security update is being prepared for future deployment. The company noted that there were issues caused by the mitigation, including disruptions to OWA Print Calendar and OWA light functionality, and did not provide a timetable for the patch.