Microsoft Exchange Zero-Day Under Attack, No Patch Available - Dark Reading

VULNERABILITIES & THREATS CYBER RISK APPLICATION SECURITY CYBERATTACKS & DATA BREACHES NEWS Microsoft Exchange Zero-Day Under Attack, No Patch Available CVE-2026-42897 stems from a cross-site scripting (XSS) vulnerability and can allow an attacker to compromise Outlook Web Access (OWA) mailboxes. Rob Wright,Senior News Director,Dark Reading May 18, 2026 3 Min Read SOURCE: PIOTR SWAT VIA ALAMY STOCK PHOTO Microsoft on Thursday disclosed a zero-day vulnerability in Exchange that's under active exploitation, but four days later customers are still awaiting a patch. The zero-day, tracked as CVE-2026-42897, affects Exchange Outlook Web Access (OWA) and enables an unauthorized attacker to execute spoofing attacks over a network. According to Microsoft, the zero-day stems from a cross-site scripting (XSS) flaw, which is one of the most common software vulnerabilities found by security researchers, frequently making the Open Web Application Security Project's (OWASP) Top 10 lists. "An attacker could exploit this issue by sending a specially crafted email to a user," Microsoft said in an advisory. "If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context." CVE-2026-42897 was disclosed two days after a large Patch Tuesday release last week that, ironically, contained no zero-days. The Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploit Vulnerabilities (KEV) catalog on Friday. Related:Can Laws Stop Deepfakes? South Korea Aims to Find Out Cyber-Risks to OWA Users CVE-2026-42897 affects the on-premise versions of Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE). Microsoft assigned the zero-day a CVSS score of 8.1, though the NIST's National Vulnerability Database assigned it a medium-severity 6.1 score. Microsoft did not provide details about the potential scope of cyberattacks, but in an advisory published on Monday, the Centre for Cybersecurity Belgium (CCB) warned that successful exploitation could give a threat actor access to a victim's Outlook mailbox and session tokens, and also allow them to make unauthorized changes to mailbox settings or modifications to email content.  While CVE-2026-42897 is a Microsoft Exchange Server vulnerability, the risk is to OWA users' mailboxes. In a LinkedIn post, Bogdan Tiron, founder of penetration testing firm Fortbridge, emphasized the impact "isn't server compromise. It's mailbox compromise — reading mail, sending emails as the victim, stealing session tokens, planting forwarding rules that survive password resets." He warned that such mailbox compromises can lead to business email compromise (BEC) or ransomware attacks. Tiron also noted that that XSS "still owns enterprise mail in 2026," adding that while such flaws may be considered "junior" threats by the cybersecurity industry, attackers continue to exploit them for reliable initial access to victims' networks. "The boring vulnerabilities are the ones that keep working," he warned. Related:Maximum Severity Cisco SD-WAN Bug Exploited in the Wild Mitigating the Microsoft Exchange Zero-Day In a blog post, Microsoft provided two mitigations options that customers can apply while they wait for a patch to arrive. The first, which Microsoft recommended, is for organizations that have the Exchange Emergency Mitigation (EM) Service, which received a mitigation for Exchange Server 2016, 2019, and SEs instances that is enabled automatically. Microsoft noted that the Exchange EM Service was released in 2021 and is enabled by default. "Using EM Service is the best way for your organization to mitigate this vulnerability right away. If you have EM Service currently disabled, we recommend you enable it right away," the software giant said. It's unclear what percentage of Exchange customers currently have the EM service enabled. Dark Reading contacted Microsoft for comment, and a company spokesperson provided the following statement but did not elaborate further: "We have issued CVE-2026-42897 to address a spoofing vulnerability affecting Exchange Outlook Web Access (OWA). We recommend customers enable EEMS to be better protected and to follow our guidance available here." The second mitigation option is an updated Exchange On-premises Mitigation Tool (EOMT), which Microsoft recommended customers download and apply either on a per-server basis or by executing the script through an elevated Exchange Management Shell (EMS). Related:'Dirty Frag' Exploit Poised to Blow Up on Enterprise Linux Distros Microsoft disclosed several issues caused by the mitigation, including disruptions to OWA Print Calendar and OWA light functionality, among other hiccups. Microsoft said it is currently working on a security update for the bug and will deployed it for affected Exchange versions "in the future," though no timetable was provided. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends.  Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. At TechTarget and Dark Reading, he has won several Azbee awards, including the 2026 National Silver Award for a series on vibe coding.  At Dark Reading, Rob currently covers security operations, cloud security, and Internet infrastructure. He has a keen interest in malvertising activity and the certificate authority industry, and has written extensively on both topics. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management Access More Research Webinars Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar AI-Powered Credential Security: Intelligence Without Exposure AI-Powered Cybersecurity for Resource-Constrained Organizations More Webinars You May Also Like VULNERABILITIES & THREATS Cheap Hardware Module Bypasses AMD, Intel Memory Encryption by Rob Wright NOV 25, 2025 VULNERABILITIES & THREATS Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs by Jai Vijayan, Contributing Writer NOV 11, 2025 VULNERABILITIES & THREATS Microsoft Issues Emergency Patch for Critical Windows Server Bug by Rob Wright OCT 24, 2025 VULNERABILITIES & THREATS 350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE by Nate Nelson, Contributing Writer JUL 11, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST AI-Powered Credential Security: Intelligence Without Exposure WED, JUNE 17, 2026, AT 1PM EST AI-Powered Cybersecurity for Resource-Constrained Organizations THURS, JUNE 18, 2026, AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS