Microsoft Exchange Server spoofing/XSS flaw under active exploitation (CVE-2026-42897)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2026-42897 is an actively exploited spoofing vulnerability in on-premises Microsoft Exchange Server that can lead to arbitrary JavaScript execution in a browser context. The flaw affects Exchange Server 2016, 2019, and Subscription Edition, while Exchange Online is not impacted. Attackers can send a specially crafted email that, when opened in Outlook Web Access under certain interaction conditions, may execute script in the browser. Microsoft has marked the issue Exploitation Detected and is pushing temporary mitigations through Exchange Emergency Mitigation Service and, for air-gapped systems, EOMT while it works on a permanent fix.
Related Happenings
Microsoft Exchange Online mail flow disruption
Service Disruption
H score25
First: 02.06.2026 20:02
Last: 02.06.2026 20:02
Sources 1
About this happening:
Microsoft is addressing a **widespread Exchange Online service disruption** that is delaying and failing email delivery for customers across **North America** and **Germany**. The...
Microsoft Exchange Online mail flow disruption
Service DisruptionAbout this happening: Microsoft is addressing a **widespread Exchange Online service disruption** that is delaying and failing email delivery for customers across **North America** and **Germany**. The...
CCB urgent patch warning for CVE-2026-41089 on Windows servers
Public Sector Action
H score48
First: 01.06.2026 15:30
Last: 01.06.2026 15:30
Sources 1
About this happening:
Belgium's **CCB** warned that **CVE-2026-41089** is being **actively exploited in the wild**, urging admins to **immediately patch** vulnerable **Windows servers** because the fla...
CCB urgent patch warning for CVE-2026-41089 on Windows servers
Public Sector ActionAbout this happening: Belgium's **CCB** warned that **CVE-2026-41089** is being **actively exploited in the wild**, urging admins to **immediately patch** vulnerable **Windows servers** because the fla...
Microsoft Exchange CVE-2026-42897 mitigation advisory
Advisory/Mitigation
H score44
First: 15.05.2026 12:40
Last: 15.05.2026 12:40
Sources 1
How related:
Using EM Service is the best way for your organization to mitigate this vulnerability right away. If you have EM Service currently disabled, we recommend you enable it right away.
About this happening:
**Microsoft** issued immediate mitigation guidance for **CVE-2026-42897**, reducing risk for **Exchange Server 2016, 2019, and Subscription Edition (SE)** on-premises servers that...
Microsoft Exchange CVE-2026-42897 mitigation advisory
Advisory/MitigationHow related: Using EM Service is the best way for your organization to mitigate this vulnerability right away. If you have EM Service currently disabled, we recommend you enable it right away.
About this happening: **Microsoft** issued immediate mitigation guidance for **CVE-2026-42897**, reducing risk for **Exchange Server 2016, 2019, and Subscription Edition (SE)** on-premises servers that...
Latest development: 15.05.2026 15:35
Microsoft issued temporary mitigation guidance for CVE-2026-42897 while a patch is still in development, recommending the Exchange Emergency Mitigation (EM) Service, which is enabled by default and can be checked with the Exchange Health Checker script, or the Exchange On-premises Mitigation Tool (EOMT) for disconnected or air-gapped environments. Microsoft noted that the mitigations can disrupt features such as OWA Print Calendar and Inline images, and that servers older than March 2023 cannot receive new mitigations through EM Service.
Microsoft Windows 365 Office installation disruption
Service Disruption
H score0
First: 13.05.2026 14:53
Last: 13.05.2026 14:53
Sources 1
About this happening:
The **Windows 365** service update has introduced a **configuration change** that is blocking **Office downloads and installs** for some customers, disrupting access on cloud PCs....
Microsoft Windows 365 Office installation disruption
Service DisruptionAbout this happening: The **Windows 365** service update has introduced a **configuration change** that is blocking **Office downloads and installs** for some customers, disrupting access on cloud PCs....
Microsoft Exchange Online blocks legacy TLS for POP3 and IMAP4 starting July 2026
Security Tool/Service
H score11
First: 28.04.2026 16:18
Last: 28.04.2026 16:18
Sources 1
About this happening:
**Microsoft** will block **TLS 1.0** and **TLS 1.1** for **POP3/IMAP4** access to **Exchange Online** in **July 2026**, which could break legacy mail clients and embedded devices...
Microsoft Exchange Online blocks legacy TLS for POP3 and IMAP4 starting July 2026
Security Tool/ServiceAbout this happening: **Microsoft** will block **TLS 1.0** and **TLS 1.1** for **POP3/IMAP4** access to **Exchange Online** in **July 2026**, which could break legacy mail clients and embedded devices...
Timeline
-
09.06.2026 20:57 1 articles · 1mo ago
Microsoft flags Exchange Server spoofing vulnerability CVE-2026-42897 as actively exploited
Initial DisclosureMicrosoft identifies CVE-2026-42897 in Microsoft Exchange Server as an actively exploited spoofing vulnerability that can lead to JavaScript execution in a target’s browser when a specially crafted email is opened in Outlook Web Access under certain interaction conditions. Microsoft says mitigations are being pushed through the Exchange Emergency Mitigation Service while it continues work on the full update.
Show sources
- Microsoft June 2026 Patch Tuesday fixes 6 zero-days, 200 flaws — www.bleepingcomputer.com — 09.06.2026 20:57
-
15.05.2026 09:19 3 articles · 1mo ago
Microsoft discloses CVE-2026-42897 in on-premises Exchange Server
Initial DisclosureMicrosoft disclosed CVE-2026-42897 in on-premises Exchange Server, a spoofing vulnerability stemming from cross-site scripting that is under active exploitation in the wild. The flaw can be triggered by a crafted email opened in Outlook Web Access under certain interaction conditions and can allow arbitrary JavaScript execution in the browser context; Exchange Online is not impacted, while Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition are affected and Microsoft is providing a temporary mitigation through Exchange Emergency Mitigation Service or, for air-gapped environments, the Exchange on-premises Mitigation Tool (EOMT) pending a permanent fix.
Show sources
- On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email — thehackernews.com — 15.05.2026 09:19
- Microsoft warns of Exchange zero-day flaw exploited in attacks — www.bleepingcomputer.com — 15.05.2026 12:40
- Microsoft Reports Severe Zero-Day Flaw in On-Prem Exchange Servers — www.infosecurity-magazine.com — 15.05.2026 15:35
-
15.05.2026 09:19 3 articles · 1mo ago
Microsoft discloses CVE-2026-42897 in on-premises Exchange Server
Initial DisclosureMicrosoft disclosed CVE-2026-42897 in on-premises Exchange Server, a spoofing vulnerability stemming from cross-site scripting that is under active exploitation in the wild. The flaw can be triggered by a crafted email opened in Outlook Web Access under certain interaction conditions and can allow arbitrary JavaScript execution in the browser context; Exchange Online is not impacted, while Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition are affected and Microsoft is providing a temporary mitigation through Exchange Emergency Mitigation Service or, for air-gapped environments, the Exchange on-premises Mitigation Tool (EOMT) pending a permanent fix.
Show sources
- On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email — thehackernews.com — 15.05.2026 09:19
- Microsoft warns of Exchange zero-day flaw exploited in attacks — www.bleepingcomputer.com — 15.05.2026 12:40
- Microsoft Reports Severe Zero-Day Flaw in On-Prem Exchange Servers — www.infosecurity-magazine.com — 15.05.2026 15:35
-
15.05.2026 09:19 3 articles · 1mo ago
Microsoft discloses CVE-2026-42897 in on-premises Exchange Server
Initial DisclosureMicrosoft disclosed CVE-2026-42897 in on-premises Exchange Server, a spoofing vulnerability stemming from cross-site scripting that is under active exploitation in the wild. The flaw can be triggered by a crafted email opened in Outlook Web Access under certain interaction conditions and can allow arbitrary JavaScript execution in the browser context; Exchange Online is not impacted, while Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition are affected and Microsoft is providing a temporary mitigation through Exchange Emergency Mitigation Service or, for air-gapped environments, the Exchange on-premises Mitigation Tool (EOMT) pending a permanent fix.
Show sources
- On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email — thehackernews.com — 15.05.2026 09:19
- Microsoft warns of Exchange zero-day flaw exploited in attacks — www.bleepingcomputer.com — 15.05.2026 12:40
- Microsoft Reports Severe Zero-Day Flaw in On-Prem Exchange Servers — www.infosecurity-magazine.com — 15.05.2026 15:35
-
14.05.2026 03:00 1 articles · 1mo ago
Microsoft discloses CVE-2026-42897 in Exchange Server
Initial DisclosureMicrosoft disclosed a high-severity zero-day in on-premises Exchange Server tracked as CVE-2026-42897, an improper neutralization of input during web page generation issue also described as cross-site scripting (XSS). The flaw could let an unauthorized attacker perform spoofing over a network or send arbitrary code by targeting an Outlook user with a specially crafted email. The issue affects all existing Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) versions and does not impact Exchange Online, and Microsoft had not yet released a patch.
Show sources
- Microsoft Reports Severe Zero-Day Flaw in On-Prem Exchange Servers — www.infosecurity-magazine.com — 15.05.2026 15:35
-
14.05.2026 03:00 4 articles · 1mo ago
Microsoft publishes EM Service and EOMT mitigations for CVE-2026-42897
Mitigation Patch UpdateMicrosoft published temporary mitigation guidance for CVE-2026-42897 using the Exchange Emergency Mitigation (EM) Service, which applies mitigations automatically when enabled, and the Exchange On-premises Mitigation Tool (EOMT) for disconnected or air-gapped environments. Administrators were told to verify applied mitigations with the Exchange Health Checker script and to enable EM Service if it was disabled. Microsoft also noted that servers running versions older than March 2023 cannot receive new mitigations through the service and that both mitigation paths can disrupt features such as OWA Print Calendar and Inline images.
Show sources
- Microsoft Reports Severe Zero-Day Flaw in On-Prem Exchange Servers — www.infosecurity-magazine.com — 15.05.2026 15:35
- Microsoft Reports Severe Zero-Day Flaw in On-Prem Exchange Servers — www.infosecurity-magazine.com — 15.05.2026 15:35
- Microsoft patches Exchange Server zero-day exploited in attacks — www.bleepingcomputer.com — 10.06.2026 16:44
- Microsoft June 2026 Patch Tuesday fixes 6 zero-days, 200 flaws — www.bleepingcomputer.com — 09.06.2026 20:57