Microsoft’s latest Patch Tuesday updates resolve an actively exploited Exchange Server vulnerability tracked as CVE-2026-42897.
The tech giant warned Exchange users about zero-day attacks exploiting CVE-2026-42897 on May 14, when it provided temporary mitigations.
CISA added the security hole to its Known Exploited Vulnerabilities (KEV) catalog on May 15, instructing federal agencies to address it by May 29.
The vulnerability is a spoofing and XSS flaw that impacts Exchange Server Subscription Edition, 2016, and 2019.
“An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context,” Microsoft said in its advisory.
