Microsoft Exchange Zero-Day Under Attack, No Patch Available TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication Security'Claw Chain' Vulnerabilities Threaten OpenClaw Deployments'Claw Chain' Vulnerabilities Threaten OpenClaw DeploymentsbyJai VijayanMay 18, 20265 Min ReadApplication SecurityShai-Hulud Worm Clones Spread After Code ReleaseShai-Hulud Worm Clones Spread After Code ReleasebyAlexander CulafiMay 18, 20264 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryVulnerabilities & ThreatsCyber RiskApplication SecurityCyberattacks & Data BreachesNewsMicrosoft Exchange Zero-Day Under Attack, No Patch AvailableCVE-2026-42897 stems from a cross-site scripting (XSS) vulnerability and can allow an attacker to compromise Outlook Web Access (OWA) mailboxes.Rob Wright,Senior News Director,Dark ReadingMay 18, 20263 Min ReadSource: Piotr Swat via Alamy Stock PhotoMicrosoft on Thursday disclosed a zero-day vulnerability in Exchange that's under active exploitation, but four days later customers are still awaiting a patch.The zero-day, tracked as CVE-2026-42897, affects Exchange Outlook Web Access (OWA) and enables an unauthorized attacker to execute spoofing attacks over a network. According to Microsoft, the zero-day stems from a cross-site scripting (XSS) flaw, which is one of the most common software vulnerabilities found by security researchers, frequently making the Open Web Application Security Project's (OWASP) Top 10 lists."An attacker could exploit this issue by sending a specially crafted email to a user," Microsoft said in an advisory. "If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context."CVE-2026-42897 was disclosed two days after a large Patch Tuesday release last week that, ironically, contained no zero-days. The Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploit Vulnerabilities (KEV) catalog on Friday.Related:Can Laws Stop Deepfakes? South Korea Aims to Find OutCyber-Risks to OWA UsersCVE-2026-42897 affects the on-premise versions of Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE). Microsoft assigned the zero-day a CVSS score of 8.1, though the NIST's National Vulnerability Database assigned it a medium-severity 6.1 score.Microsoft did not provide details about the potential scope of cyberattacks, but in an advisory published on Monday, the Centre for Cybersecurity Belgium (CCB) warned that successful exploitation could give a threat actor access to a victim's Outlook mailbox and session tokens, and also allow them to make unauthorized changes to mailbox settings or modifications to email content. While CVE-2026-42897 is a Microsoft Exchange Server vulnerability, the risk is to OWA users' mailboxes. In a LinkedIn post, Bogdan Tiron, founder of penetration testing firm Fortbridge, emphasized the impact "isn't server compromise. It's mailbox compromise — reading mail, sending emails as the victim, stealing session tokens, planting forwarding rules that survive password resets." He warned that such mailbox compromises can lead to business email compromise (BEC) or ransomware attacks.Tiron also noted that that XSS "still owns enterprise mail in 2026," adding that while such flaws may be considered "junior" threats by the cybersecurity industry, attackers continue to exploit them for reliable initial access to victims' networks. "The boring vulnerabilities are the ones that keep working," he warned.Related:Maximum Severity Cisco SD-WAN Bug Exploited in the WildMitigating the Microsoft Exchange Zero-DayIn a blog post, Microsoft provided two mitigations options that customers can apply while they wait for a patch to arrive. The first, which Microsoft recommended, is for organizations that have the Exchange Emergency Mitigation (EM) Service, which received a mitigation for Exchange Server 2016, 2019, and SEs instances that is enabled automatically.Microsoft noted that the Exchange EM Service was released in 2021 and is enabled by default. "Using EM Service is the best way for your organization to mitigate this vulnerability right away. If you have EM Service currently disabled, we recommend you enable it right away," the software giant said.It's unclear what percentage of Exchange customers currently have the EM service enabled. Dark Reading contacted Microsoft for comment, and a company spokesperson provided the following statement but did not elaborate further: "We have issued CVE-2026-42897 to address a spoofing vulnerability affecting Exchange Outlook Web Access (OWA). We recommend customers enable EEMS to be better protected and to follow our guidance available here."The second mitigation option is an updated Exchange On-premises Mitigation Tool (EOMT), which Microsoft recommended customers download and apply either on a per-server basis or by executing the script through an elevated Exchange Management Shell (EMS).Related:'Dirty Frag' Exploit Poised to Blow Up on Enterprise Linux DistrosMicrosoft disclosed several issues caused by the mitigation, including disruptions to OWA Print Calendar and OWA light functionality, among other hiccups. Microsoft said it is currently working on a security update for the bug and will deployed it for affected Exchange versions "in the future," though no timetable was provided.About the AuthorRob WrightSenior News Director, Dark ReadingRob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. See more from Rob WrightWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsHow Security Teams should apply Threat Intelligence into their DefensesYour Guide to Securing AI Adoption in Your OrganizationWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsHow Security Teams should apply Threat Intelligence into their DefensesThurs, June 11, 2026 at 1pm ESTYour Guide to Securing AI Adoption in Your OrganizationTues, June 9, 2026 at 1pm ESTWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?Wed, June 3, 2026 at 1pm ESTThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

Microsoft disclosed a zero-day vulnerability in Exchange that is currently being actively exploited in the wild, without an official patch being immediately available. This vulnerability, tracked as CVE-2026-42897, originates from a cross-site scripting (XSS) flaw and poses a significant threat to Exchange Outlook Web Access (OWA) mailboxes by allowing an unauthorized attacker to execute spoofing attacks across a network. Microsoft indicated that the vulnerability allows an attacker to exploit the issue by sending a specially crafted email; if a user opens this email in OWA and specific interaction conditions are met, arbitrary JavaScript can be executed within the browser context. This flaw is noted as a common software vulnerability, frequently appearing on lists such as the Open Web Application Security Project’s Top 10.

The vulnerability impacts on-premises versions of Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE). Microsoft assigned this zero-day a CVSS score of 8.1, although the National Vulnerability Database assigned it a medium-severity score of 6.1. Concerns were raised by the Centre for Cybersecurity Belgium regarding the potential consequences of successful exploitation, warning that threat actors could gain access to a victim's Outlook mailbox and session tokens, enabling them to modify mailbox settings or email content. As noted by Bogdan Tiron, founder of Fortbridge, the primary risk extends beyond server compromise to mailbox compromise, which includes reading mail, impersonating the victim to send emails, stealing session tokens, and planting forwarding rules that persist even after password resets, potentially leading to business email compromise (BEC) or ransomware attacks. Tiron stressed that while the vulnerability may be considered a junior threat by some in the cybersecurity industry, attackers continue to leverage such flaws for reliable initial access to victim networks, asserting that these vulnerabilities are precisely the ones that remain effective.

To mitigate this vulnerability while awaiting a full patch, Microsoft provided two mitigation options. The first recommended option is utilizing the Exchange Emergency Mitigation (EM) Service, which was automatically enabled by default for Exchange Server 2016, 2019, and SE instances, and Microsoft advised enabling it immediately if it was disabled. The second mitigation strategy involves applying the updated Exchange On-premises Mitigation Tool (EOMT), which customers can download and apply either on a per-server basis or by executing a script through an elevated Exchange Management Shell. Although some disruptions occurred related to the mitigation deployment, including issues with OWA Print Calendar and OWA light functionality, Microsoft stated that they are working on a security update for the bug that will be deployed to affected Exchange versions in the future. Furthermore, the Cybersecurity and Infrastructure Security Agency (CISA) has incorporated this flaw into its Known Exploit Vulnerabilities (KEV) catalog.