Microsoft Exchange Server Zero-Day CVE-2026-42897 Exploited in Active Attacks

Microsoft deployed an emergency mitigation for CVE-2026-42897, a zero-day XSS vulnerability in on-premises Exchange Server OWA. Active exploitation via crafted email. CISA added to KEV catalog.

Microsoft Exchange Server Zero-Day CVE-2026-42897 Exploited in Active Attacks

Microsoft has deployed an emergency mitigation for a zero-day vulnerability in on-premises Exchange Server. The flaw, tracked as CVE-2026-42897, is a cross-site scripting (XSS) vulnerability in the Outlook Web App (OWA) component. It carries a CVSS score of 8.1, indicating high severity.

Emergency mitigation deployed May 14

The vulnerability affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition at any update level. Attackers are actively exploiting it by sending crafted emails. Microsoft has not yet released a permanent patch. The emergency mitigation was deployed on May 14 through the Exchange Emergency Mitigation Service. It disables the OWA Print Calendar feature, inline images, and the OWA Light interface. Exchange Online is not affected.

The mitigation is available globally as of May 14. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities catalog on May 15. Federal agencies are required to remediate by May 29.

Microsoft has not identified the threat actors behind the active attacks. The company is developing a permanent fix but has not confirmed a release timeline.

Discussion

0 comments

Log in to join the thread with a thoughtful take, question, or correction.

Add to the discussion