Unpatched Microsoft Exchange Server vulnerability exploited (CVE-2026-42897)

Zeljka Zorz, Editor-in-Chief, Help Net Security May 15, 2026 Share Unpatched Microsoft Exchange Server vulnerability exploited (CVE-2026-42897) A critical cross-site scripting (XSS) vulnerability (CVE-2026-42897) in Microsoft Exchange Server is being exploited by attackers, Microsoft warned on Thursday. A permanent fix is still in the works. In the meantime, Microsoft provided temporary mitigations. About CVE-2026-42897 CVE-2026-42897 affects on-premises versions of Microsoft Exchange Server: Subscription Edition RTM, 2019, and 2016. Exchange Online is not affected. Flagged by an anonymous researcher, the vulnerability allows an unauthorized attacker to perform spoofing over a network. “An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context,” Microsoft stated. (Outlook Web Access is a browser-based email client that lets users access their Microsoft Exchange mailbox through a web browser.) The company hasn’t shared any details about the in-the-wild attacks, nor explained which “interaction conditions” are required for successful exploitation. Mitigation available “Microsoft is working on and will release and announce a security update for impacted versions of Exchange Server in the future. Update will be released for Exchange SE RTM, Exchange 2016 CU23, Exchange Server 2019 CU14 and CU15 (if you are running older CU versions, please update now),” Microsoft’s Exchange Server Team said. “Exchange 2016 and 2019 updates will be released only to customers who are enrolled in the Period 2 Exchange Server ESU program.” Until fixes become available, a mitigation is available: Through the Exchange Emergency Mitigation Service. If the service is enabled – and it is by default – the mitigation is implemented automatically Through the Exchange on-premises Mitigation Tool (EOMT), by running a provided script. Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here! More about Microsoft Microsoft Exchange vulnerability Share