Microsoft Confirms Active Exploitation of Unpatched On-Prem Exchange Zero-Day (CVE-2026-42897) via Crafted Email
Microsoft disclosed CVE-2026-42897 on May 14, 2026, a spoofing and cross-site-scripting (XSS) zero-day in on-premises Microsoft Exchange Server that it confirmed is being actively exploited in the wild.
VERDICT — CONFIRMED

Microsoft disclosed CVE-2026-42897 on May 14, 2026, a spoofing and cross-site-scripting (XSS) zero-day in on-premises Microsoft Exchange Server that it confirmed is being actively exploited in the wild. Microsoft characterizes the flaw as 'improper neutralization of input during web page generation' that allows an unauthorized attacker to perform spoofing over a network; SecurityAffairs and HelpNetSecurity report a CVSS score of 8.1 (some outlets did not state a score). The vulnerability sits in Exchange Outlook Web Access (OWA): an attacker sends a specially crafted email, and when the recipient opens it in OWA under certain interaction conditions, arbitrary JavaScript executes in the victim's browser context—exposing communications, credentials and business workflows and facilitating lateral movement via mail rules.
Affected products are Exchange Server Subscription Edition, Exchange Server 2019 and Exchange Server 2016 at any update level; Exchange Online is not affected. The vulnerability was reported by an anonymous researcher. At disclosure no permanent patch existed; Microsoft deployed emergency mitigations via the Exchange Emergency Mitigation Service (enabled automatically where the Exchange EM service is on) plus a script for the on-premises Mitigation Tool.
Per Microsoft and CISA materials, CISA added the flaw to its KEV catalog on May 15, 2026 with a federal remediation deadline of June 5, 2026—three weeks from catalog inclusion. The incident is notable because internet-exposed on-prem Exchange remains a high-value pre-patch target and because exploitation can be triggered simply by a user opening an email in OWA.


