CVE-2026-42897: Microsoft Confirms Active Exploitation of Exchange Server Zero-Day

The discovery of an actively exploited zero‑day in Microsoft Exchange Server underscores the platform’s persistent attractiveness to threat actors. CVE‑2026‑42897, assigned a CVSS score of 8.1, exploits an improper neutralization of input during web page generation, effectively a cross‑site scripting flaw that can be triggered through Outlook Web Access (OWA). Because Exchange sits at the heart of corporate email communication, any compromise grants attackers immediate visibility into internal conversations, credentials, and workflow automation. The timing is notable: the vulnerability surfaced just two days after Microsoft’s May 2026 Patch Tuesday, leaving organizations with no official fix.

The attack vector relies on a specially crafted email that, when opened in OWA, injects malicious JavaScript into the user’s browser session. This script can spoof network traffic, harvest authentication tokens, or pivot to more privileged actions. Microsoft’s emergency response includes a set of temporary mitigation measures—such as disabling legacy OWA protocols, enforcing strict content‑security policies, and applying the latest cumulative updates where possible. While these steps reduce exposure, they are not a substitute for a permanent patch, which Microsoft has indicated will be delivered in a forthcoming security update.

From a risk management perspective, the incident highlights the need for layered defenses around on‑premises Exchange deployments, many of which remain internet‑facing despite a shift toward cloud‑based email. Organizations should prioritize rapid deployment of the mitigations, conduct thorough log reviews for signs of OWA abuse, and consider network segmentation to limit lateral movement. The broader threat landscape shows that exchange zero‑days continue to fuel espionage and ransomware campaigns, making timely detection and response critical. Proactive threat‑intel monitoring and participation in information‑sharing forums can further blunt the impact of such exploits.