CVE-2026-42897: Microsoft confirms active exploitation of Exchange Server zero-day
May 15, 2026 
Microsoft warned that attackers are exploiting a new Exchange Server zero-day vulnerability, tracked as CVE-2026-42897, in the wild.
Microsoft warned that threat actors are actively exploiting a new Exchange Server zero-day vulnerability tracked as CVE-2026-42897 (CVSS score 8.1).
The vulnerability is an improper neutralization of input during web page generation (‘cross-site scripting’) in Microsoft Exchange Server. An attacker can exploit the flaw to perform spoofing over a network.
“Improper neutralization of input during web page generation (‘cross-site scripting’) in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.” reads the advisory.
Microsoft warned that the Exchange Server zero-day affects Outlook Web Access (OWA). Attackers can exploit the flaw by sending a specially crafted email that executes malicious JavaScript when opened in Outlook Web Access under certain conditions.
Microsoft confirmed it had detected active exploitation of CVE-2026-42897 in the wild; however, it has not disclosed details about any attacks exploiting the issue.
Until a permanent security update becomes available, Microsoft has released temporary mitigation measures and urged administrators to apply them immediately to reduce exposure to attacks.
The flaw surfaced just two days after Microsoft’s Patch Tuesday for May 2026 updates, which patched 138 vulnerabilities.
Exchange Server zero-days are dangerous because they sit at the center of corporate email, one of the most sensitive and widely used systems in any organization.
Upon exploiting Microsoft Exchange Server flaws, attackers often get a direct path into internal communications, credentials, and business workflows.
A key reason they’re high risk is exposure. Many Exchange servers, especially on-premises deployments, are internet-facing. A zero-day means attackers can exploit the flaw before a patch exists, leaving defenders with no direct fix, only temporary mitigations.
OWA (Outlook Web Access) makes things worse. If a vulnerability works through the browser, attackers can use simple phishing-style emails to trigger it. In some cases, just opening an email in Outlook on the web can be enough to run malicious code in the user’s session.
Once attackers compromise Exchange, attackers can access emails and attachments, steal credentials, reset passwords, move into other systems, and maintain long-term access using mail rules or tokens.
Finally, Exchange zero-days are frequently targeted in cyber espionage campaigns and ransomware campaigns because they provide high-value access with relatively low noise.
In April, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability, tracked as CVE-2023-21529, to its Known Exploited Vulnerabilities (KEV) catalog.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Microsoft Exchange Server)
