Critical XSS Zero‑Day (CVE‑2026‑42897) in Microsoft Exchange Actively Exploited, No Patch Available
What It Is — A newly disclosed cross‑site scripting (XSS) vulnerability (CVE‑2026‑42897) in Microsoft Exchange Server allows an attacker to inject malicious scripts into Outlook Web Access (OWA) sessions, potentially hijacking user mailboxes.
Exploitability — Threat actors are observed weaponising the flaw in the wild; no vendor‑issued patch or mitigation exists yet. CVSS v3.1 base score is 9.8 (Critical).
Affected Products — Microsoft Exchange Server 2016, 2019, and Exchange Online (OWA component).
TPRM Impact — Organizations that rely on Exchange‑hosted email—whether on‑premises, via a managed service provider, or through Microsoft 365—face immediate supply‑chain risk. Compromise of OWA can lead to credential theft, internal email exfiltration, and lateral movement across partner networks.
Recommended Actions
- Immediately enforce multi‑factor authentication (MFA) for all OWA accounts.
- Deploy web‑application firewalls (WAF) or reverse‑proxy rules to block suspicious script payloads.
- Conduct rapid inventory of all Exchange instances and verify they are isolated from external access where possible.
- Monitor authentication logs for anomalous OWA activity and implement real‑time alerting.
- Engage Microsoft support for temporary mitigations and stay on alert for an official patch.
Source: Dark Reading