Microsoft Exchange Zero-Day Under Attack, No Patch Available

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and Informa

Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.

CVE-2026-42897 stems from a cross-site scripting (XSS) vulnerability and can allow an attacker to compromise Outlook Web Access (OWA) mailboxes.

May 18, 2026

Microsoft on Thursday disclosed a zero-day vulnerability in Exchange that's under active exploitation, but four days later customers are still awaiting a patch.

Microsoft Exchange Zero-Day Under Attack, No Patch Available

Other newsrooms on this story

Related reading

Microsoft warns of Exchange zero-day flaw exploited in attacks

Active Microsoft Exchange zero-day leaves organisations exposed

Microsoft Exchange: Zero-day vulnerability is being attacked

Microsoft Confirms Active 0-Day Exploit—Check Emergency Mitigation

Microsoft Confirms Active 0-Day Exploit—Check Emergency Mitigation Now

Microsoft Exchange: Zero-Day-Lücke wird angegriffen