The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Microsoft Exchange Server, tracked as CVE-2026-42897 (CVSS score of 8.1), to its Known Exploited Vulnerabilities (KEV) catalog.
This week, Microsoft warned that threat actors are actively exploiting a new Exchange Server zero-day vulnerability tracked as CVE-2026-42897.
The vulnerability is an improper neutralization of input during web page generation (‘cross-site scripting’) in Microsoft Exchange Server. An attacker can exploit the flaw to perform spoofing over a network.
“Improper neutralization of input during web page generation (‘cross-site scripting’) in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.” reads the advisory.
Microsoft warned that the Exchange Server zero-day affects Outlook Web Access (OWA). Attackers can exploit the flaw by sending a specially crafted email that executes malicious JavaScript when opened in Outlook Web Access under certain conditions.
Microsoft confirmed it had detected active exploitation of CVE-2026-42897 in the wild; however, it has not disclosed details about any attacks exploiting the issue.
Until a permanent security update becomes available, Microsoft has released temporary mitigation measures and urged administrators to apply them immediately to reduce exposure to attacks.
The flaw surfaced just two days after Microsoft’s Patch Tuesday for May 2026 updates, which patched 138 vulnerabilities.
Exchange Server zero-days are dangerous because they sit at the center of corporate email, one of the most sensitive and widely used systems in any organization.
Upon exploiting Microsoft Exchange Server flaws, attackers often get a direct path into internal communications, credentials, and business workflows.
A key reason they’re high risk is exposure. Many Exchange servers, especially on-premises deployments, are internet-facing. A zero-day means attackers can exploit the flaw before a patch exists, leaving defenders with no direct fix, only temporary mitigations.
OWA (Outlook Web Access) makes things worse. If a vulnerability works through the browser, attackers can use simple phishing-style emails to trigger it. In some cases, just opening an email in Outlook on the web can be enough to run malicious code in the user’s session.
Once attackers compromise Exchange, attackers can access emails and attachments, steal credentials, reset passwords, move into other systems, and maintain long-term access using mail rules or tokens.
Finally, Exchange zero-days are frequently targeted in cyber espionage campaigns and ransomware campaigns because they provide high-value access with relatively low noise.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerability by May 29, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。