Critical Zero-Day Vulnerability in Microsoft Exchange Server Exploited

Severity: High (Score: 69.9)

Sources: www.cve.org, Theregister, Securityaffairs.Co, Bleepingcomputer, msrc.microsoft.com

Summary

Microsoft has issued a warning regarding a critical zero-day vulnerability in Exchange Server, tracked as CVE-2026-42897, which allows attackers to execute arbitrary JavaScript code in the browser context of users via specially crafted emails. This vulnerability affects on-premises Exchange Server 2016, 2019, and Subscription Edition, while Exchange Online remains unaffected. Active exploitation of this flaw has been confirmed, prompting Microsoft to recommend enabling the Exchange Emergency Mitigation Service (EEMS) to mitigate risks. Patches are currently in development, but only customers enrolled in the Extended Security Updates (ESU) program will receive them. The vulnerability has a high CVSS score of 8.1, indicating its severity and potential impact on organizations. Administrators are urged to take immediate action to protect their systems. Key Points: • CVE-2026-42897 is a critical vulnerability in Microsoft Exchange Server actively exploited. • Affected systems include Exchange Server 2016, 2019, and Subscription Edition; Exchange Online is safe. • Microsoft recommends enabling the Emergency Mitigation Service for immediate protection.

Key Entities

• Phishing (attack_type)
• Zero-day Exploit (attack_type)
• XSS (vulnerability)
• ProxyLogon (vulnerability)
• ProxyShell (vulnerability)
• Microsoft (company)
• NHS England (company)
• Outlook (company)
• CVE-2026-42897 (cve)
• Cwe-79 - Cross-site Scripting (xss) (cwe)
• T1059.007 - JavaScript (mitre_attack)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1566 - Phishing (mitre_attack)
• Exchange Online (platform)
• Exchange Server (platform)
• Microsoft Exchange Server (platform)
• Outlook Web Access (platform)
• Windows (platform)