Active exploitation of Microsoft Exchange Server spoofing vulnerability via crafted email
Summary
Hide ▲
Show ▼
A high-severity spoofing vulnerability in on-premises Microsoft Exchange Server (CVE-2026-42897, CVSS 8.1) is being actively exploited in the wild. The flaw arises from improper neutralization of input during web page generation, enabling cross-site scripting (XSS) that permits unauthorized spoofing over a network. Attackers can exploit this by sending a specially crafted email to a user; when opened in Outlook Web Access under specific interaction conditions, arbitrary JavaScript can execute in the browser context, facilitating further unauthorized actions.
Timeline
-
15.05.2026 09:19 1 articles · 2h ago
Active exploitation of Microsoft Exchange Server spoofing vulnerability CVE-2026-42897
Microsoft disclosed CVE-2026-42897, a high-severity (CVSS 8.1) spoofing vulnerability in on-premises Exchange Server versions 2016, 2019, and Subscription Edition. The flaw stems from improper input neutralization leading to XSS, enabling unauthorized spoofing and arbitrary JavaScript execution in the browser context when a crafted email is opened in Outlook Web Access under specific interaction conditions. Microsoft reported active exploitation in the wild and provided temporary mitigations via the Exchange Emergency Mitigation Service (enabled by default) and the Exchange on-premises Mitigation Tool (EOMT). Exchange Online is not impacted.
Show sources
- On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email — thehackernews.com — 15.05.2026 09:19
Information Snippets
-
CVE-2026-42897 affects on-premises Exchange Server versions 2016, 2019, and Subscription Edition (SE) at any update level.
First reported: 15.05.2026 09:191 source, 1 articleShow sources
- On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email — thehackernews.com — 15.05.2026 09:19
-
Microsoft has detected active exploitation in the wild and assigned an "Exploitation Detected" assessment to the vulnerability.
First reported: 15.05.2026 09:191 source, 1 articleShow sources
- On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email — thehackernews.com — 15.05.2026 09:19
-
Exploitation requires sending a crafted email to a target user; successful exploitation leads to arbitrary JavaScript execution in the context of the browser when viewed in Outlook Web Access under specific interaction conditions.
First reported: 15.05.2026 09:191 source, 1 articleShow sources
- On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email — thehackernews.com — 15.05.2026 09:19
-
Microsoft’s Exchange Emergency Mitigation Service provides automatic mitigation via URL rewrite configuration, enabled by default but dependent on the Windows service being active.
First reported: 15.05.2026 09:191 source, 1 articleShow sources
- On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email — thehackernews.com — 15.05.2026 09:19
-
Microsoft provides an on-premises mitigation tool (EOMT) as an alternative for air-gapped environments, with detailed PowerShell scripts for single-server or fleet-wide application.
First reported: 15.05.2026 09:191 source, 1 articleShow sources
- On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email — thehackernews.com — 15.05.2026 09:19
-
Exchange Online is not impacted by this vulnerability.
First reported: 15.05.2026 09:191 source, 1 articleShow sources
- On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email — thehackernews.com — 15.05.2026 09:19
-
A known cosmetic issue exists where the mitigation status may incorrectly display "Mitigation invalid for this exchange version" despite successful application; Microsoft is investigating a fix.
First reported: 15.05.2026 09:191 source, 1 articleShow sources
- On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email — thehackernews.com — 15.05.2026 09:19