Active Exploitation of Microsoft Exchange Server XSS Flaw via Crafted Email
Microsoft disclosed CVE-2026-42897, a high-severity spoofing vulnerability in on-premises Microsoft Exchange Server that is being actively exploited in the wild. The flaw stems from improper neutralization of input during web page generation and can be triggered when a user opens a specially crafted email in Outlook Web Access, leading to cross-site scripting and arbitrary JavaScript execution in the victim’s browser context. Affected products include Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition; Exchange Online is not affected.
Microsoft has not yet released a permanent patch for CVE-2026-42897, but said it is automatically deploying a temporary mitigation through the Exchange Emergency Mitigation Service, which applies a URL rewrite configuration and is enabled by default. For air-gapped or disconnected environments, the company directed administrators to use the Exchange on-premises Mitigation Tool, while noting a cosmetic issue may affect mitigation status reporting. Microsoft also published the vulnerability in its Security Update Guide alongside other advisories, including CVE-2026-41615 for Microsoft Authenticator.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CISA adds CVE-2026-42897 to KEV catalog and sets remediation deadline
CISA added Microsoft Exchange Server flaw CVE-2026-42897 to its Known Exploited Vulnerabilities catalog after Microsoft confirmed in-the-wild exploitation. Under Binding Operational Directive 22-01, federal agencies were ordered to remediate the vulnerability by 2026-05-29.
Microsoft deploys temporary mitigation for Exchange flaw via EEMS
Because no permanent patch was yet available, Microsoft began automatically deploying a temporary mitigation through the Exchange Emergency Mitigation Service using a URL rewrite configuration. Microsoft also provided guidance for air-gapped environments through the Exchange on-premises Mitigation Tool and noted a cosmetic reporting issue in mitigation status.
Microsoft reports active exploitation of CVE-2026-42897
Microsoft said CVE-2026-42897 is being actively exploited in the wild against on-premises Exchange Server deployments. Successful exploitation can result in arbitrary JavaScript execution in the victim's browser context under certain interaction conditions.
Microsoft discloses CVE-2026-42897 in on-premises Exchange Server
Microsoft published advisory information for CVE-2026-42897, a high-severity spoofing vulnerability affecting Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition. The flaw is described as an input neutralization issue during web page generation that can lead to cross-site scripting when a crafted email is opened in Outlook Web Access.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
15 references tracked. Mallory keeps watching after this page renders.
WARNING: Cross-Site Scripting in Microsoft Exchange Server Can Be Exploited to Perform Spoofing and Session Hijacking. Actively Exploited in the Wild, Apply Mitigations Immediately! | CCB Belgium
ccb.belgium.be
Open sourceU.S. CISA adds a flaw in Microsoft Exchange Server to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceMicrosoft warns of active exploitation of new Exchange Server zero-day vulnerability | brief | SC Media
scworld.com
Open sourceMicrosoft Exchange: Zero-day vulnerability is being attacked | heise online
heise.de
Open sourceCVE-2026-41615 - Security Update Guide - Microsoft - Microsoft Authenticator Information Disclosure Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-42897 - Security Update Guide - Microsoft - Microsoft Exchange Server Spoofing Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-42897: CVE-2026-42897: Reflected Cross-Site Scripting in Microsoft Exchange Server OWA | CVEReports
cvereports.com
Open sourceExchange Emergency Mitigation Service (Exchange EM Service) | Microsoft Learn
learn.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Exchange Server Zero-Day Let Attackers Run JavaScript in Outlook Web Access
Microsoft released fixes for **CVE-2026-42897**, a high-severity spoofing flaw in **Exchange Server** that was actively exploited in attacks and could lead to arbitrary JavaScript execution through cross-site scripting in **Outlook Web Access (OWA)**. The vulnerability affects **Exchange Server 2016**, **Exchange Server 2019**, and **Exchange Server Subscription Edition**, and can be triggered remotely without privileges by sending a specially crafted email that executes when opened in OWA under certain user-interaction conditions. Microsoft classifies the issue as a spoofing vulnerability, consistent with prior MSHTML- and web-rendering-related spoofing flaws such as **CVE-2024-43461**. Before full patches were released, Microsoft deployed an automatic temporary mitigation through the **Exchange Emergency Mitigation Service** in mid-May and later shipped permanent fixes in its June 2026 security updates, while advising administrators to keep mitigations enabled and patch immediately. **CISA** added the bug to its **Known Exploited Vulnerabilities** catalog on May 15 and ordered U.S. federal agencies to remediate affected systems by May 29, underscoring continued attacker focus on Exchange, which has seen numerous exploited flaws over the past five years, including several linked to ransomware activity.
Jun 13, 2026
Microsoft Exchange Server Flaws Enabled Spoofing, Security Bypass, and SYSTEM-Level Access
Microsoft disclosed multiple vulnerabilities in on-premises **Exchange Server**, including **CVE-2021-31207** (security feature bypass), **CVE-2021-31209** (spoofing), and **CVE-2022-41040** (elevation of privilege). The issues affected Exchange deployments rather than **Exchange Online**, extending a pattern of high-impact weaknesses in the mail platform that could undermine trust boundaries, enable impersonation, and weaken built-in protections. Among them, **CVE-2022-41040** was rated **Critical** with a **CVSS 3.1 score of 8.8**, and Microsoft said exploitation had been detected in the wild before public disclosure. The flaw required an authenticated attacker with low privileges and no user interaction, and successful exploitation could allow the attacker to run **PowerShell** as **`SYSTEM`**. Microsoft later released security updates and directed Exchange Server customers to apply mitigations and patches for the reported zero-day issues.
May 25, 2026
Microsoft Exchange Server Spoofing Flaws Tracked Across Multiple CVEs
Microsoft has published Security Update Guide entries for multiple **Microsoft Exchange Server spoofing vulnerabilities**, including `CVE-2021-1730`, `CVE-2024-49040`, and `CVE-2025-64667`. The references indicate a recurring class of flaws affecting Exchange Server in which an attacker could impersonate a trusted source or manipulate how identities or messages are presented, creating opportunities for phishing, fraud, or follow-on compromise in enterprise email environments. The available advisories provide limited public technical detail, but the repeated publication of Exchange spoofing CVEs shows that Microsoft continues to track and remediate this attack surface through its update program. For defenders, the immediate implication is to review Exchange Server exposure, validate that relevant Microsoft security updates tied to these CVEs have been applied, and monitor mail infrastructure for signs of spoofed communications or abuse of trust relationships involving Exchange services.
May 25, 2026