CISA has issued a fresh warning about a newly disclosed Microsoft Exchange Server vulnerability that is already being exploited in real-world attacks, raising concerns for organizations relying on on-premises email infrastructure.
The flaw CVE-2026-42897 is a cross-site scripting (XSS) vulnerability affecting Microsoft Exchange Server, specifically within Outlook Web Access (OWA).
According to the official advisory, the issue occurs during web page generation. It can be triggered under certain interaction conditions, allowing attackers to execute arbitrary JavaScript in a victim’s browser.
The vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 15, 2026, signaling confirmed active exploitation in the wild.
Federal agencies and organizations that follow the Binding Operational Directive (BOD) 22-01 are required to remediate the issue by May 29, 2026.
Microsoft Exchange Server Vulnerability Exploit
Security researchers note that XSS flaws in enterprise email platforms like Exchange are particularly dangerous because they can be weaponized to hijack authenticated sessions.
In practice, an attacker could trick a user into clicking a specially crafted link that executes malicious scripts within their browser session.
This can lead to credential theft, mailbox access, or further internal compromise.
Although Microsoft has not publicly linked the vulnerability to ransomware campaigns, CISA’s inclusion of the flaw in the KEV catalog strongly indicates active interest from threat actors.
Exchange servers have historically been a high-value target for attackers due to their role in handling sensitive communications and credentials.
The vulnerability is categorized under CWE-79, a well-known class of web security flaws involving improper neutralization of input during web page generation.
Despite being a common vulnerability type, XSS remains widely exploited due to inconsistent input validation and complex web application behavior.
CISA is urging organizations to apply vendor-provided mitigations and security updates immediately.
In cases where patches are not yet available or cannot be applied, agencies are advised to follow alternative mitigation strategies outlined by Microsoft or consider discontinuing use of affected systems until they can be secured.
Security teams should also monitor Exchange server logs for suspicious activity, including unusual authentication patterns, unexpected script execution, or abnormal user behavior in Outlook Web Access sessions.
This latest warning underscores a broader trend of attackers actively targeting enterprise collaboration tools, especially those exposed to the internet.
With Exchange Server still widely deployed across enterprises, unpatched vulnerabilities can quickly become entry points for deeper network intrusions.
Organizations are strongly encouraged to prioritize patching efforts and review their exposure to internet-facing Exchange services to reduce the risk of exploitation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
