Microsoft Exchange: Zero-day vulnerability is being attacked

Microsoft is warning of a zero-day security vulnerability in Exchange that is already being attacked in the wild. Updated software is not yet available. However, Microsoft is offering countermeasures that admins should implement as quickly as possible.

In the vulnerability description, Microsoft explains that it involves insufficient input filtering during website generation, a cross-site scripting vulnerability. This allows unauthenticated attackers from the network to execute spoofing attacks (CVE-2026-42897, CVSS 8.1, Risk "high"). However, Microsoft classifies the severity as "critical". A blog post by Microsoft's Exchange team explains this and the countermeasures in more detail.

Attack Scenario

The vulnerability apparently affects Outlook Web Access (OWA) specifically. Microsoft states that attackers can send manipulated emails to victims. If users open the email in OWA and certain, unspecified interaction conditions are met, arbitrary JavaScript is then executed in the browser.

Exchange Server 2016, 2019, and Exchange Server Subscription Edition (SE), in any update level, are affected. However, Microsoft is not providing software updates. An automatic fix is available via the Exchange Emergency Mitigation (EM) Service. Where the service is active, Microsoft has already applied the countermeasures. The service has been distributed since September 2021 and is enabled by default. The blog post also shows a manual variant.