Microsoft Warns of Unpatched Exchange Server Vulnerability Exploited by Hackers
Critical Zero-Day Exploit Targets Microsoft Exchange Servers
A previously unknown vulnerability has been discovered in Microsoft Exchange servers, enabling attackers to run malicious scripts on vulnerable systems. The zero-day flaw, labeled as CVE-2026-42897, involves a spoofing and cross-site scripting (XSS) issue affecting multiple versions of the Microsoft Exchange Server software.
"According to Microsoft’s official advisory, the vulnerability exists in the Exchange Server’s web application, particularly in how user input is handled."
"When a specifically designed URL is sent to an unsuspecting user, and they interact with the email through their Outlook Web Access (OWA), arbitrary JavaScript can be executed in the browser context."
This presents a substantial security risk, as an attacker could potentially gain control over the user’s system. The vulnerability affects Exchange Server Subscription Edition, 2016, and 2019.
-
Mitigation Options Provided by Microsoft:
- Microsoft has offered temporary fixes to help prevent exploitation of this vulnerability until a permanent patch is released.
-
US Government Response:
- The US government’s Cybersecurity and Infrastructure Security Agency (CISA) maintains a comprehensive database of known vulnerabilities, but this specific vulnerability has yet to be included in the CISA catalog.
-
Importance of Vigilance:
- As organizations increasingly rely on cloud-based services, including Microsoft Exchange, it is crucial for users and administrators to remain informed about emerging security risks and take necessary measures to protect against such threats.
About Author
English