Back

Microsoft Patches Critical Exchange Server Zero-Day Vulnerability CVE-2026-42897

Severity: High (Score: 74.0)

Sources: Bleepingcomputer, Cybersecuritynews

Published: 2026-06-11 · Updated: 2026-06-11

Keywords: microsoft, exchange, server, zero, flaw, allows, execute

Severity indicators: flaw

Summary

Microsoft has patched a high-severity zero-day vulnerability in Exchange Server, tracked as CVE-2026-42897, which allows attackers to execute arbitrary JavaScript via crafted emails in Outlook Web Access. The flaw affects Exchange Server 2016, 2019, and Subscription Edition, enabling remote exploitation without user privileges. Microsoft disclosed the vulnerability on May 14, 2026, and it was added to CISA's list of actively exploited vulnerabilities the following day. Security updates were released on June 10, 2026, with strong recommendations for immediate deployment. The Cybersecurity and Infrastructure Security Agency has ordered U.S. government agencies to patch their systems by May 29, 2026. This vulnerability is part of a troubling trend, as CISA has previously added 20 Microsoft Exchange vulnerabilities to its exploited list in the last five years. Key Points: • CVE-2026-42897 allows remote execution of JavaScript via Outlook Web Access. • Microsoft released security updates on June 10, 2026, urging immediate deployment. • CISA ordered U.S. agencies to patch affected Exchange servers by May 29, 2026.

Detailed Analysis

**Impact** The vulnerability affects Microsoft Exchange Server 2016, 2019, and Subscription Edition installations worldwide, including U.S. government agencies mandated to patch by May 29, 2026. Exploitation allows remote attackers to execute arbitrary JavaScript in Outlook Web Access (OWA) without privileges, potentially compromising user sessions and data confidentiality. Over the past five years, 20 Exchange vulnerabilities have been exploited in the wild, with 14 linked to ransomware campaigns, indicating a high risk of operational disruption and data breaches in affected sectors. **Technical Details** CVE-2026-42897 is a spoofing vulnerability enabling remote attackers to execute arbitrary JavaScript via specially crafted emails opened in OWA browsers. The attack vector requires no authentication and targets the browser context during email interaction. Microsoft deployed an automatic temporary mitigation through the Exchange Emergency Mitigation Service (EEMS) in mid-May 2026 and released official patches on June 9, 2026. No specific malware or IOCs were disclosed in the available sources. **Recommended Response** Administrators must apply the June 2026 security updates for Exchange Server 2016, 2019, and SE immediately and maintain the existing EEMS mitigations for layered defense. U.S. government agencies are required to comply with CISA’s two-week patching directive issued on May 15, 2026. Monitoring for suspicious email activity and anomalous JavaScript execution in OWA sessions is advised, though no detailed detection rules or IOCs have been published.

Source articles (2)

  • Microsoft patches Exchange Server zero — Bleepingcomputer · 2026-06-10
    Microsoft has patched an actively exploited Exchange Server vulnerability that allows threat actors to execute arbitrary JavaScript code in cross-site scripting (XSS) attacks targeting Outlook Web Acc…
  • Microsoft Exchange Server 0 — Cybersecuritynews · 2026-06-11
    Microsoft has confirmed active exploitation of a new zero‑day spoofing flaw in on‑premises Exchange Server, tracked as CVE‑2026‑42897. The flaw allows attackers to execute arbitrary JavaScript in Outl…

Timeline

  • 2026-05-14 — CVE-2026-42897 published: Microsoft disclosed a spoofing vulnerability in Exchange Server allowing JavaScript execution via emails.
  • 2026-05-15 — CVE-2026-42897 added to CISA KEV: CISA confirmed active exploitation of the vulnerability and added it to its list of exploited flaws.
  • 2026-05-29 — CISA patch deadline for U.S. agencies: CISA mandated that U.S. government agencies patch their Exchange servers to mitigate the vulnerability.
  • 2026-06-10 — Microsoft releases security updates: Microsoft issued patches for Exchange Server to address CVE-2026-42897, advising immediate application.

CVEs

  • CVE-2026-42897

Related entities

  • XSS (Vulnerability)
  • Zero-day Exploit (Attack Type)
  • Microsoft (Company)
  • Cwe-79 - Cross-site Scripting (xss) (Cwe)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1203 - Exploitation for Client Execution (Mitre Attack)
  • Exchange Server (Platform)
  • Microsoft Exchange Server (Platform)
  • Outlook Web Access (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed