CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 11, 2026

Microsoft Exchange Server 0-Day Vulnerability Exploited in Attacks Using Weaponized Email

Cybersecurity News Archived Jun 11, 2026 ✓ Full text saved

Microsoft has confirmed active exploitation of a new zero‑day spoofing flaw in on‑premises Exchange Server, tracked as CVE‑2026‑42897. The flaw allows attackers to execute arbitrary JavaScript in Outlook Web Access (OWA) simply by sending a weaponized email that a victim opens in a browser. On May 14, 2026, Microsoft disclosed CVE‑2026‑42897 as a spoofing vulnerability […] The post Microsoft Exchange Server 0-Day Vulnerability Exploited in Attacks Using Weaponized Email appeared first on Cyber S

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Microsoft Exchange Server 0-Day Vulnerability Exploited in Attacks Using Weaponized Email By Abinaya June 11, 2026 Microsoft has confirmed active exploitation of a new zero‑day spoofing flaw in on‑premises Exchange Server, tracked as CVE‑2026‑42897. The flaw allows attackers to execute arbitrary JavaScript in Outlook Web Access (OWA) simply by sending a weaponized email that a victim opens in a browser. On May 14, 2026, Microsoft disclosed CVE‑2026‑42897 as a spoofing vulnerability in Exchange Outlook Web Access that stems from improper neutralization of user input during web page generation, essentially a cross‑site scripting (XSS) bug (CWE‑79). An unauthenticated attacker can send a specially crafted email. When the target opens it in OWA and specific interaction conditions are met, attacker‑supplied JavaScript executes in the browser context of the logged‑in user. The flaw affects all update levels of Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE), while Exchange Online (Microsoft 365) is not impacted. Microsoft Exchange Server 0-Day Vulnerability Microsoft’s exploitability assessment classifies the CVE as “Exploitation Detected,” confirming that real‑world attacks are already leveraging this issue. CVE‑2026‑42897 is rated Critical with a CVSS v3.1 base score of 8.1, reflecting a network‑reachable attack that requires no privileges on the attacker side and only basic user interaction (opening an email in OWA). Successful exploitation allows the attacker to execute JavaScript in the victim’s browser session, enabling email spoofing, credential theft, session hijacking, and actions performed on behalf of the compromised user. Because the attack is delivered via email and triggers when content is rendered in OWA, it can bypass traditional attachment‑ or link‑focused security controls and blend into normal mailbox activity. Microsoft notes that exploitation has only been observed via OWA rendering Exchange Online and non‑OWA access paths are currently not known to be affected. Microsoft’s primary short‑term defense is the Exchange Emergency Mitigation (EM) Service, which is enabled by default on supported on‑premises Exchange servers and automatically deploys mitigation M2.1.x for CVE‑2026‑42897. Organizations can verify mitigation status using the EM “Viewing Applied Mitigations” guidance or the Exchange Health Checker script, which surfaces an EEMS check section in its HTML report. For disconnected or air‑gapped environments, Microsoft provides the Exchange On‑Premises Mitigation Tool (EOMT), which applies CVE‑specific mitigations per server via a PowerShell script named PowerShell.ps1 with the CVE parameter. These mitigations rely on browser Content Security Policy and therefore do not protect users accessing OWA through Internet Explorer or Edge in Internet Explorer Mode, which lacks CSP support. On June 9, 2026, Microsoft released Security Updates (SUs) for Exchange SE RTM, Exchange Server 2019 CU14/CU15, and Exchange Server 2016 CU23 that include a permanent fix for CVE‑2026‑42897, with the 2016/2019 updates available only to customers in the Period 2 Extended Security Update (ESU) program. Microsoft recommends installing the June 2026 SUs as soon as possible and keeping the CVE‑2026‑42897 mitigation in place as an extra defense layer even after patching. Microsoft warns that applying the mitigation (via EM Service or EOMT) may break or degrade certain OWA features, including calendar printing, inline image display in the reading pane, OWA Light, published calendars, and the OWACalendar proxy health set, which may trigger false alerts in monitoring systems. These issues are expected to clear once organizations install the June 2026 update and then manually remove the mitigation if they choose to do so. The June 2026 blog also highlights that EM and feature flighting services will stop consuming new configuration files from July 2026 unless Exchange servers are updated to at least the June 2026 level, reinforcing the need to move to current builds. For organizations still on Exchange 2016/2019 without Period 2 ESU, Microsoft advises migrating to Exchange SE to maintain access to future security fixes. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Hackers Use Malicious Ads to Deliver FlutterShell Backdoor on macOS Systems How Threat Intelligence Feeds Help Automate SOCs to Reduce MTTR  UNC3753 Attacking US Law Firms Using Vishing and RMM Tools to Exfiltrate Data CISA Warns of SolarWinds Serv-U Vulnerability Exploited in Attacks Critical OpenSSL Vulnerabilities Enable Remote Code Execution Attacks Latest News Cyber Security Anthropic’s Claude Fable 5 Jailbroken to Generate Stack Exploits Cyber Security News Hackers Abuse Fake Utility Downloads to Install ScreenConnect and Mine Cryptocurrency Cyber Security News Hackers Use Tax Phishing Emails to Deploy In-Memory Malware on Windows Systems Cyber Security News ServiceNow Confirms Vulnerability Allowing Unauthorized Access to Customer Instance Tables Cyber Security News Hackers Infect npm Package dbmux With Malware to Fully Compromise Developer Systems
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 11, 2026
    Archived
    Jun 11, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗