Active Exploitation of Microsoft Exchange Server Zero‑Day (CVE‑2026‑42897) Threatens Enterprise Email
What It Is – Microsoft has confirmed that a newly disclosed cross‑site scripting (XSS) flaw in Exchange Server (CVE‑2026‑42897) is being actively exploited in the wild. The vulnerability allows an unauthenticated attacker to inject malicious JavaScript into Outlook Web Access (OWA) pages, enabling credential‑stealing, session hijacking, and email spoofing.
Exploitability – Active exploitation has been observed; proof‑of‑concept code is publicly available. The CVSS base score is 8.1 (High). No permanent patch is yet released; only temporary mitigations are provided.
Affected Products – Microsoft Exchange Server (on‑premises and hybrid deployments) – specifically the Outlook Web Access (OWA) component.
TPRM Impact –
- Exchange is a core communication platform for most enterprises; a compromise can expose sensitive business communications, credentials, and downstream systems.
- Many organizations rely on third‑party managed service providers (MSPs) to host or administer Exchange, expanding the attack surface across supply chains.
- An exploited Exchange server can become a foothold for ransomware, espionage, or credential‑theft campaigns that affect partner ecosystems.
Recommended Actions –
- Deploy Microsoft’s temporary mitigation (disable OWA external access or enforce strict CSP headers) immediately.
- Prioritize inventory of all on‑premises Exchange instances and identify any internet‑facing deployments.
- Accelerate patch testing for the forthcoming May 2026 security update; schedule deployment within 24 hours of release.
- Enforce multi‑factor authentication (MFA) for all OWA users and monitor for anomalous login patterns.
- Review mail flow rules for unauthorized redirects or forwarding rules that could indicate persistence.
- Coordinate with any MSPs or cloud‑hosting partners to verify they have applied the mitigations on your behalf.