Exchange Server Zero-Day Let Attackers Run JavaScript in Outlook Web Access
Microsoft released fixes for CVE-2026-42897, a high-severity spoofing flaw in Exchange Server that was actively exploited in attacks and could lead to arbitrary JavaScript execution through cross-site scripting in Outlook Web Access (OWA). The vulnerability affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition, and can be triggered remotely without privileges by sending a specially crafted email that executes when opened in OWA under certain user-interaction conditions. Microsoft classifies the issue as a spoofing vulnerability, consistent with prior MSHTML- and web-rendering-related spoofing flaws such as CVE-2024-43461.
Before full patches were released, Microsoft deployed an automatic temporary mitigation through the Exchange Emergency Mitigation Service in mid-May and later shipped permanent fixes in its June 2026 security updates, while advising administrators to keep mitigations enabled and patch immediately. CISA added the bug to its Known Exploited Vulnerabilities catalog on May 15 and ordered U.S. federal agencies to remediate affected systems by May 29, underscoring continued attacker focus on Exchange, which has seen numerous exploited flaws over the past five years, including several linked to ransomware activity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Microsoft releases June 2026 Exchange security updates
Microsoft released June 2026 Security Updates to patch CVE-2026-42897 in Exchange Server 2016, 2019, and Subscription Edition. Administrators were urged to apply the updates immediately and keep mitigations enabled.
Microsoft deploys temporary mitigation for Exchange zero-day
Microsoft previously rolled out an automatic temporary mitigation for CVE-2026-42897 through the Exchange Emergency Mitigation Service. The article anchors this action only to mid-May 2026.
Federal remediation deadline passes for Exchange zero-day
CISA directed U.S. federal agencies to remediate CVE-2026-42897 by May 29. This deadline followed the vulnerability's addition to the KEV catalog.
CISA adds Exchange zero-day CVE-2026-42897 to KEV catalog
CISA added CVE-2026-42897, an actively exploited Exchange Server spoofing vulnerability, to its Known Exploited Vulnerabilities catalog. It also ordered U.S. federal agencies to remediate affected systems by May 29.
Microsoft publishes advisory for CVE-2024-43461
Microsoft's Security Update Guide lists CVE-2024-43461 as a Windows MSHTML Platform spoofing vulnerability. The advisory was published on September 10, 2024.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Microsoft Exchange Server 0-Day Vulnerability Exploited in Attacks Using Weaponized Email
cybersecuritynews.com
Open sourceMicrosoft patches Exchange Server zero-day exploited in attacks
bleepingcomputer.com
Open sourceCVE-2024-43461 - Security Update Guide - Microsoft - Windows MSHTML Platform Spoofing Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of Microsoft Exchange Server XSS Flaw via Crafted Email
Microsoft disclosed **CVE-2026-42897**, a high-severity spoofing vulnerability in on-premises **Microsoft Exchange Server** that is being actively exploited in the wild. The flaw stems from improper neutralization of input during web page generation and can be triggered when a user opens a specially crafted email in **Outlook Web Access**, leading to cross-site scripting and arbitrary JavaScript execution in the victim’s browser context. Affected products include **Exchange Server 2016**, **Exchange Server 2019**, and **Exchange Server Subscription Edition**; **Exchange Online** is not affected. Microsoft has not yet released a permanent patch for `CVE-2026-42897`, but said it is automatically deploying a temporary mitigation through the **Exchange Emergency Mitigation Service**, which applies a URL rewrite configuration and is enabled by default. For air-gapped or disconnected environments, the company directed administrators to use the **Exchange on-premises Mitigation Tool**, while noting a cosmetic issue may affect mitigation status reporting. Microsoft also published the vulnerability in its Security Update Guide alongside other advisories, including **CVE-2026-41615** for Microsoft Authenticator.
May 19, 2026
Microsoft Exchange Server Flaws Enabled Spoofing, Security Bypass, and SYSTEM-Level Access
Microsoft disclosed multiple vulnerabilities in on-premises **Exchange Server**, including **CVE-2021-31207** (security feature bypass), **CVE-2021-31209** (spoofing), and **CVE-2022-41040** (elevation of privilege). The issues affected Exchange deployments rather than **Exchange Online**, extending a pattern of high-impact weaknesses in the mail platform that could undermine trust boundaries, enable impersonation, and weaken built-in protections. Among them, **CVE-2022-41040** was rated **Critical** with a **CVSS 3.1 score of 8.8**, and Microsoft said exploitation had been detected in the wild before public disclosure. The flaw required an authenticated attacker with low privileges and no user interaction, and successful exploitation could allow the attacker to run **PowerShell** as **`SYSTEM`**. Microsoft later released security updates and directed Exchange Server customers to apply mitigations and patches for the reported zero-day issues.
May 25, 2026
Microsoft Exchange Server Spoofing Flaws Tracked Across Multiple CVEs
Microsoft has published Security Update Guide entries for multiple **Microsoft Exchange Server spoofing vulnerabilities**, including `CVE-2021-1730`, `CVE-2024-49040`, and `CVE-2025-64667`. The references indicate a recurring class of flaws affecting Exchange Server in which an attacker could impersonate a trusted source or manipulate how identities or messages are presented, creating opportunities for phishing, fraud, or follow-on compromise in enterprise email environments. The available advisories provide limited public technical detail, but the repeated publication of Exchange spoofing CVEs shows that Microsoft continues to track and remediate this attack surface through its update program. For defenders, the immediate implication is to review Exchange Server exposure, validate that relevant Microsoft security updates tied to these CVEs have been applied, and monitor mail infrastructure for signs of spoofed communications or abuse of trust relationships involving Exchange services.
May 25, 2026