Microsoft Exchange Zero-Day Under Attack, No Patch Available

Exchange remains a cornerstone of corporate communications, and any weakness reverberates across thousands of enterprises. The newly disclosed CVE‑2026‑42897 surfaces just days after a busy Patch Tuesday, highlighting how even well‑maintained platforms can harbor critical flaws. By exploiting a cross‑site scripting bug in Outlook Web Access, threat actors can inject malicious JavaScript, hijack session tokens, and impersonate users—effectively turning a simple email client into a gateway for broader network infiltration. The vulnerability’s CVSS 8.1 rating underscores its potential for severe impact, while the lower NIST score reflects differing assessments of exploitability and scope.

For organizations, the immediate concern is mailbox compromise. Attackers who gain access can read confidential messages, send fraudulent emails, and install forwarding rules that persist beyond password changes, a classic vector for business‑email‑compromise (BEC) scams. Such breaches often serve as a stepping stone to ransomware deployment, amplifying financial and reputational damage. The fact that CISA has listed the flaw in its Known Exploit Vulnerabilities catalog signals that nation‑state and criminal groups are already leveraging the bug, prompting urgent risk‑management actions across the sector.

Microsoft’s interim mitigations—enabling the Emergency Mitigation (EM) service and deploying the Exchange On‑premises Mitigation Tool (EOMT)—provide a stopgap but come with functional trade‑offs, such as degraded OWA features. Enterprises should prioritize these controls while accelerating patch‑testing cycles and revisiting email security architectures, including multi‑factor authentication and zero‑trust segmentation. The episode reinforces a broader industry lesson: “boring” vulnerabilities like XSS remain potent, and continuous monitoring, rapid response, and layered defenses are essential to safeguard critical communication infrastructure.