Microsoft Exchange 0-Day Exploited in Weaponized Email

A new zero-day spoofing flaw impacting on-premises Exchange Server is under active exploitation, Microsoft has confirmed. The vulnerability is tracked as CVE-2026-42897.

The flaw allows attackers to execute arbitrary JavaScript in Outlook Web Access (OWA) simply by sending a weaponized email that a victim opens in a browser.

On May 14, 2026, Microsoft disclosed CVE‑2026‑42897 as a spoofing vulnerability in Exchange Outlook Web Access that stems from improper neutralization of user input during web page generation, essentially a cross‑site scripting (XSS) bug (CWE‑79).

An unauthenticated attacker can send a specially crafted email. When the target opens it in OWA and specific interaction conditions are met, attacker‑supplied JavaScript executes in the browser context of the logged‑in user.

The flaw affects all update levels of Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE), while Exchange Online (Microsoft 365) is not impacted.

Microsoft Exchange Server 0-Day Vulnerability

Microsoft’s exploitability assessment classifies the CVE as “Exploitation Detected,” confirming that real‑world attacks are already leveraging this issue.

CVE‑2026‑42897 is rated Critical with a CVSS v3.1 base score of 8.1, reflecting a network‑reachable attack that requires no privileges on the attacker side and only basic user interaction (opening an email in OWA).

Successful exploitation allows the attacker to execute JavaScript in the victim’s browser session, enabling email spoofing, credential theft, session hijacking, and actions performed on behalf of the compromised user.

Because the attack is delivered via email and triggers when content is rendered in OWA, it can bypass traditional attachment‑ or link‑focused security controls and blend into normal mailbox activity.

Microsoft notes that exploitation has only been observed via OWA rendering Exchange Online and non‑OWA access paths are currently not known to be affected.

Microsoft’s primary short‑term defense is the Exchange Emergency Mitigation (EM) Service, which is enabled by default on supported on‑premises Exchange servers and automatically deploys mitigation M2.1.x for CVE‑2026‑42897.

Organizations can verify mitigation status using the EM “Viewing Applied Mitigations” guidance or the Exchange Health Checker script, which surfaces an EEMS check section in its HTML report.

For disconnected or air‑gapped environments, Microsoft provides the Exchange On‑Premises Mitigation Tool (EOMT), which applies CVE‑specific mitigations per server via a PowerShell script named PowerShell.ps1 with the CVE parameter.

These mitigations rely on browser Content Security Policy and therefore do not protect users accessing OWA through Internet Explorer or Edge in Internet Explorer Mode, which lacks CSP support.

On June 9, 2026, Microsoft released Security Updates (SUs) for Exchange SE RTM, Exchange Server 2019 CU14/CU15, and Exchange Server 2016 CU23 that include a permanent fix for CVE‑2026‑42897, with the 2016/2019 updates available only to customers in the Period 2 Extended Security Update (ESU) program.

Microsoft recommends installing the June 2026 SUs as soon as possible and keeping the CVE‑2026‑42897 mitigation in place as an extra defense layer even after patching.

Microsoft warns that applying the mitigation (via EM Service or EOMT) may break or degrade certain OWA features, including calendar printing, inline image display in the reading pane, OWA Light, published calendars, and the OWACalendar proxy health set, which may trigger false alerts in monitoring systems.

These issues are expected to clear once organizations install the June 2026 update and then manually remove the mitigation if they choose to do so.

The June 2026 blog also highlights that EM and feature flighting services will stop consuming new configuration files from July 2026 unless Exchange servers are updated to at least the June 2026 level, reinforcing the need to move to current builds.

For organizations still on Exchange 2016/2019 without Period 2 ESU, Microsoft advises migrating to Exchange SE to maintain access to future security fixes.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.