Active Exploitation of CVE‑2026‑42897 XSS Flaw in On‑Prem Microsoft Exchange Server
What It Is — Microsoft disclosed a cross‑site scripting (XSS) vulnerability (CVE‑2026‑42897) in on‑premises Exchange Server that enables crafted emails to spoof sender identities and potentially execute malicious scripts in the victim’s mailbox. The flaw stems from insufficient sanitisation of HTML content in inbound messages.
Exploitability — An anonymous researcher confirmed that the vulnerability is being actively exploited in the wild. Proof‑of‑concept emails have been observed in multiple threat‑intel feeds. CVSS v3.1 base score 8.1 (High). No public exploit code has been released, but malicious actors are already leveraging the bug.
Affected Products — Microsoft Exchange Server 2013, 2016, 2019, and Exchange Server 2010 SP3 (on‑premises deployments). Cloud‑based Exchange Online is not affected.
TPRM Impact —
- Email spoofing can be used to launch credential‑theft phishing campaigns against employees of a third‑party vendor.
- Successful exploitation may lead to data exfiltration or ransomware deployment, creating a downstream supply‑chain risk for organizations that rely on the compromised Exchange instance.
- Service disruption or loss of email integrity can affect business continuity for partners and customers.
Recommended Actions —
- Deploy Microsoft’s out‑of‑band security update for CVE‑2026‑42897 immediately.
- Enforce strict HTML sanitisation and disable external content rendering in Exchange mail flow rules.
- Activate multi‑factor authentication (MFA) for all mailbox logins and privileged accounts.
- Monitor mail logs for anomalous sender addresses, unusual HTML payloads, and repeated failed authentication attempts.
- Consider migrating to Exchange Online or another cloud‑based email platform to reduce on‑prem exposure.
Source: The Hacker News