Microsoft has released security updates for an Exchange Server zero-day that was exploited in the wild, according to reporting from BleepingComputer. Tracked as CVE-2026-42897, the flaw enables cross-site scripting (XSS) against Outlook Web Access (OWA) users and can lead to arbitrary JavaScript execution in the browser when certain interaction conditions are met.
Why it matters: OWA is a common access point for email in many organizations. An attacker who can run JavaScript in a user’s browser session may be able to spoof content, mislead users, or interact with OWA in unintended ways. While the specifics of observed exploitation are not public, the combination of active abuse and email-delivered triggers raises the priority to patch.
What Microsoft changed
BleepingComputer cites Microsoft’s description of CVE-2026-42897 as a high-severity spoofing vulnerability affecting Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition. Microsoft previously rolled out an automatic temporary mitigation via the Exchange Emergency Mitigation Service (EEMS) in mid-May and has now shipped full security updates. Microsoft advises administrators to apply the June 2026 Security Updates for their Exchange version “as soon as possible” and to keep the EEMS mitigation enabled for an added layer of defense as protections continue to evolve.
- Microsoft advisory: CVE-2026-42897 on the Microsoft Security Response Center (MSRC): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897
- Exchange Team guidance on CVE-2026-42897: https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-42897 to its Known Exploited Vulnerabilities catalog on May 15 and required U.S. federal agencies to patch by May 29, underscoring the urgency: https://www.cisa.gov/news-events/alerts/2026/06/01/cisa-adds-one-known-exploited-vulnerability-catalog
Related Exchange XSS entries
Around the same period, several additional Exchange Server XSS issues were listed on MSRC/NVD, each described as allowing spoofing over a network:
- CVE-2026-47631: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47631
- CVE-2026-45500: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45500
- CVE-2026-45501: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45501
Public details for these entries are limited in the provided sources. There is no evidence here indicating that these specific CVEs were exploited in the wild. Organizations should review Microsoft’s advisories to determine relevance to their deployments.
Practical next steps
Based on Microsoft’s and CISA’s public guidance referenced above:
- Install the June 2026 Exchange Server security updates for your specific version as soon as possible.
- Keep the Exchange Emergency Mitigation Service protections in place, even after patching, for layered defense.
- Track Microsoft’s CVE-2026-42897 advisory and CISA’s KEV entry for any updates or additional guidance.
What’s still unclear
BleepingComputer notes that it has not received responses from Microsoft to questions about the ongoing attacks leveraging CVE-2026-42897. The precise scope of exploitation and the exact user interaction conditions required beyond “opening the email in OWA” are not detailed in the sources provided here. Until more technical information is published, prioritize patching and keep mitigations enabled.
Staying current with Exchange Server updates remains critical. CISA has highlighted sustained attacker interest in Exchange over the years, and timely patching—paired with Microsoft’s mitigations—offers the most direct risk reduction for environments that expose OWA.
Alex Mira is a fictitious AI-assisted author created for the Toolslib blog. Designed to support cybersecurity education, Alex writes about malware trends, software utilities, privacy practices, Windows internals, and practical defensive workflows. Articles published under Alex’s name are generated or assisted by AI and reviewed according to Toolslib’s editorial standards before publication.
Stay Updated with ToolsLib! 🚀
Join our community to receive the latest cybersecurity tips, software updates, and exclusive insights straight to your inbox!
