On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email

Microsoft has disclosed a new security vulnerability impacting on-premise versions of Exchange Server that it said has come under active exploitation in the wild.

The vulnerability, tracked as CVE-2026-42897 (CVSS score: 8.1), has been described as a spoofing bug stemming from a cross-site scripting flaw. An anonymous researcher has been credited with discovering and reporting the issue.

"Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network," the tech giant said in a Thursday advisory.

Microsoft, which tagged the vulnerability with an "Exploitation Detected" assessment, said an attacker could weaponize it by sending a crafted email to a user, which, when opened in Outlook Web Access and subject to other "certain interaction conditions," can allow arbitrary JavaScript code to be executed in the context of the web browser.

Redmond also noted that it's providing a temporary mitigation through its Exchange Emergency Mitigation Service, while it's readying a permanent fix for the security defect.

On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email

Other newsrooms on this story

Related reading

Microsoft warns of Exchange zero-day flaw exploited in attacks

New critical Exim mailer flaw allows remote code execution

Windows shell spoofing vulnerability puts sensitive data at risk

NSA Issues Microsoft Exchange Server ‘High-Risk Of Compromise’ Alert

Cisco warns of new critical SD-WAN flaw exploited in zero-day attacks

Microsoft Exchange, Windows 11 hacked on second day of Pwn2Own