Active Exploitation of Microsoft Exchange Server XSS Zero‑Day (CVE‑2026‑42897) Added to CISA KEV Catalog
What It Is – A newly disclosed cross‑site scripting (XSS) flaw in Microsoft Exchange Server (CVE‑2026‑42897) allows an unauthenticated attacker to spoof web sessions via Outlook Web Access. Microsoft rates the vulnerability CVSS 8.1 (High) and confirms active exploitation in the wild.
Exploitability – Publicly known zero‑day; threat actors are already leveraging crafted emails to trigger malicious JavaScript in OWA. No permanent patch is available yet; only temporary mitigations have been released.
Affected Products – Microsoft Exchange Server (on‑premises and hybrid deployments) – specifically Outlook Web Access (OWA) components.
TPRM Impact – The flaw targets a core communication platform used by thousands of third‑party vendors. A breach could expose internal email traffic, credentials, and business workflows, creating a supply‑chain foothold that downstream partners inherit.
Recommended Actions –
- Deploy Microsoft’s temporary mitigation guidance immediately.
- Prioritize any pending Exchange Server patches; monitor for the forthcoming permanent update.
- Enforce strict network segmentation for internet‑facing Exchange instances.
- Conduct rapid phishing‑simulation testing to gauge user susceptibility to malicious OWA links.
- Update incident‑response playbooks to include XSS‑based OWA compromise scenarios.
Source: Security Affairs