Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Microsoft Exchange Server spoofing/XSS flaw under active exploitation (CVE-2026-42897)

Vulnerability
First reported
Last updated
Happening score
H score 47
3 unique sources, 3 articles

Summary

Hide ▲

CVE-2026-42897 is an actively exploited spoofing/XSS flaw in on-premises Microsoft Exchange Server that can let attackers trigger arbitrary JavaScript in a browser context under certain interaction conditions. The issue affects Exchange Server 2016, 2019, and Subscription Edition, while Exchange Online is not impacted. Microsoft has marked the bug Exploitation Detected and is urging administrators to apply its temporary mitigation through Exchange Emergency Mitigation Service or EOMT until a permanent fix is available.

Related Happenings

Microsoft Exchange CVE-2026-42897 mitigation advisory

Advisory/Mitigation
First: 15.05.2026 12:40 Last: 15.05.2026 12:40 Sources 1

How related: Using EM Service is the best way for your organization to mitigate this vulnerability right away. If you have EM Service currently disabled, we recommend you enable it right away.

About this happening: **Microsoft** issued immediate mitigation guidance for **CVE-2026-42897**, reducing risk for **Exchange Server 2016, 2019, and Subscription Edition (SE)** on-premises servers that...

Latest development: 15.05.2026 15:35

Microsoft issued temporary mitigation guidance for CVE-2026-42897 while a patch is still in development, recommending the Exchange Emergency Mitigation (EM) Service, which is enabled by default and can be checked with the Exchange Health Checker script, or the Exchange On-premises Mitigation Tool (EOMT) for disconnected or air-gapped environments. Microsoft noted that the mitigations can disrupt features such as OWA Print Calendar and Inline images, and that servers older than March 2023 cannot receive new mitigations through EM Service.

Open Happening

Microsoft Windows 365 Office installation disruption

Service Disruption
First: 13.05.2026 14:53 Last: 13.05.2026 14:53 Sources 1

About this happening: The **Windows 365** service update has introduced a **configuration change** that is blocking **Office downloads and installs** for some customers, disrupting access on cloud PCs....

Open Happening

Microsoft Exchange Online blocks legacy TLS for POP3 and IMAP4 starting July 2026

Security Tool/Service
First: 28.04.2026 16:18 Last: 28.04.2026 16:18 Sources 1

About this happening: **Microsoft** will block **TLS 1.0** and **TLS 1.1** for **POP3/IMAP4** access to **Exchange Online** in **July 2026**, which could break legacy mail clients and embedded devices...

Open Happening

Microsoft Outlook.com outage causing sign-in failures

Service Disruption
First: 27.04.2026 15:03 Last: 27.04.2026 15:03 Sources 1

About this happening: Microsoft's **Outlook.com** is experiencing an **ongoing outage** that is blocking sign-ins and mailbox access, leaving some customers unable to use email normally. The disruption...

Open Happening

Microsoft Edge regression disrupts Teams meeting joins

Service Disruption
First: 23.04.2026 16:18 Last: 23.04.2026 16:18 Sources 1

About this happening: A **Microsoft Edge** regression is preventing some **Windows** users from joining **Microsoft Teams** meetings, causing a limited-scope access disruption for scheduled and link-ba...

Open Happening

Timeline

  1. 15.05.2026 09:19 3 articles · 12d ago

    Microsoft discloses CVE-2026-42897 in on-premises Exchange Server

    Initial Disclosure

    Microsoft disclosed CVE-2026-42897 in on-premises Exchange Server, a spoofing vulnerability stemming from cross-site scripting that is under active exploitation in the wild. The flaw can be triggered by a crafted email opened in Outlook Web Access under certain interaction conditions and can allow arbitrary JavaScript execution in the browser context; Exchange Online is not impacted, while Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition are affected and Microsoft is providing a temporary mitigation through Exchange Emergency Mitigation Service or, for air-gapped environments, the Exchange on-premises Mitigation Tool (EOMT) pending a permanent fix.

    Show sources
    Open in new tab
  2. 15.05.2026 09:19 3 articles · 12d ago

    Microsoft discloses CVE-2026-42897 in on-premises Exchange Server

    Initial Disclosure

    Microsoft disclosed CVE-2026-42897 in on-premises Exchange Server, a spoofing vulnerability stemming from cross-site scripting that is under active exploitation in the wild. The flaw can be triggered by a crafted email opened in Outlook Web Access under certain interaction conditions and can allow arbitrary JavaScript execution in the browser context; Exchange Online is not impacted, while Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition are affected and Microsoft is providing a temporary mitigation through Exchange Emergency Mitigation Service or, for air-gapped environments, the Exchange on-premises Mitigation Tool (EOMT) pending a permanent fix.

    Show sources
    Open in new tab
  3. 15.05.2026 09:19 3 articles · 12d ago

    Microsoft discloses CVE-2026-42897 in on-premises Exchange Server

    Initial Disclosure

    Microsoft disclosed CVE-2026-42897 in on-premises Exchange Server, a spoofing vulnerability stemming from cross-site scripting that is under active exploitation in the wild. The flaw can be triggered by a crafted email opened in Outlook Web Access under certain interaction conditions and can allow arbitrary JavaScript execution in the browser context; Exchange Online is not impacted, while Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition are affected and Microsoft is providing a temporary mitigation through Exchange Emergency Mitigation Service or, for air-gapped environments, the Exchange on-premises Mitigation Tool (EOMT) pending a permanent fix.

    Show sources
    Open in new tab
  4. 14.05.2026 03:00 1 articles · 13d ago

    Microsoft discloses CVE-2026-42897 in Exchange Server

    Initial Disclosure

    Microsoft disclosed a high-severity zero-day in on-premises Exchange Server tracked as CVE-2026-42897, an improper neutralization of input during web page generation issue also described as cross-site scripting (XSS). The flaw could let an unauthorized attacker perform spoofing over a network or send arbitrary code by targeting an Outlook user with a specially crafted email. The issue affects all existing Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) versions and does not impact Exchange Online, and Microsoft had not yet released a patch.

    Show sources
    Open in new tab
  5. 14.05.2026 03:00 2 articles · 13d ago

    Microsoft publishes EM Service and EOMT mitigations for CVE-2026-42897

    Mitigation Patch Update

    Microsoft published temporary mitigation guidance for CVE-2026-42897 using the Exchange Emergency Mitigation (EM) Service, which applies mitigations automatically when enabled, and the Exchange On-premises Mitigation Tool (EOMT) for disconnected or air-gapped environments. Administrators were told to verify applied mitigations with the Exchange Health Checker script and to enable EM Service if it was disabled. Microsoft also noted that servers running versions older than March 2023 cannot receive new mitigations through the service and that both mitigation paths can disrupt features such as OWA Print Calendar and Inline images.

    Show sources
    Open in new tab