Microsoft Exchange Server Vulnerability Exploited: CVE-2026-42897 Patch Needed
Microsoft Warns of Exploitation of Critical XSS Vulnerability in Exchange Server
Microsoft has alerted the public to a critical cross-site scripting (XSS) vulnerability in its on-premises Exchange Server software, identified as CVE-2026-42897.
Flaw Description:
This flaw allows an unauthorized attacker to perform spoofing over a network by sending a malicious email to a user, exploiting the vulnerability when the recipient interacts with the email in Outlook Web Access.
Affected Versions:
- On-premises versions of Microsoft Exchange Server Subscription Edition RTM
- Exchange Server 2019
- Exchange Server 2016
According to Microsoft, “an attacker could execute arbitrary JavaScript in the browser context if the victim opens the malicious email and meets specific interaction conditions.”
Mitigations:
Microsoft has provided two temporary mitigations until a permanent fix is available:
- Enable the Exchange Emergency Mitigation Service, which implements the fix automatically by default.
Additionally, Microsoft advises organizations to update their Exchange Server installations to the latest cumulative updates:
- Exchange SE RTM
- Exchange 2016 CU23
- Exchange Server 2019 CU14 and CU15
Organizations participating in the Period 2 Exchange Server ESU program will receive updates for Exchange 2016 and 2019.
Microsoft emphasizes that a security update will be released for impacted versions of Exchange Server in the future, and the company will provide further guidance at that time.
About Author
English