Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild

Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild

Briefly

"Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network, Microsoft said in its advisory."

"The company noted that the vulnerability affects Exchange Outlook Web Access (OWA) and an attacker can exploit it by sending a specially crafted email to the targeted user. "If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context," Microsoft explained."

"Until a permanent patch is developed, Microsoft has shared a couple of mitigation options. Microsoft has not shared any information on the attacks exploiting CVE-2026-42897. SecurityWeek has reached out to the company for clarification and will update this article if it responds."

"It's not uncommon for threat actors to target Exchange Server vulnerabilities - CISA's KEV catalog currently lists nearly two dozen such flaws - but there do not appear to be any other reports of vulnerabilities discovered in 2025 and 2026 being exploited in the wild. It's worth noting that CVE-2026-42897 has yet to be added to CISA's KEV list."