Microsoft has issued mitigations for CVE-2026-42897, a zero-day in Exchange Server that is being exploited in attacks, according to SecurityWeek and CISA. The flaw affects Exchange Server Subscription Edition, 2016, and 2019, and Microsoft says it can let an attacker spoof content and execute arbitrary JavaScript in a victim’s browser under certain interaction conditions.
SecurityWeek reported that the issue is tied to Outlook Web Access, where a specially crafted email can trigger the bug if the user opens it and the required conditions are met. Microsoft said the vulnerability stems from improper neutralization of input during web page generation, a cross-site scripting weakness tracked as CVE-2026-42897. The company said it has shared mitigations while it develops a permanent patch.
CISA also warned that the flaw is being used in real-world attacks and added CVE-2026-42897 to its Known Exploited Vulnerabilities catalog on May 15, 2026. CISA said federal agencies covered by Binding Operational Directive 22-01 must remediate the issue by May 29, 2026. The agency described the problem as a cross-site scripting issue in Exchange Outlook Web Access that can be triggered under certain interaction conditions to run malicious JavaScript in a browser session.
SecurityWeek noted that Microsoft has not disclosed details about the exploitation it has observed. That means the scope of the attacks is still unclear, but the warning is significant because Exchange Server has long been a favored target for threat actors. SecurityWeek also said the flaw has not yet appeared in CISA’s broader catalog of the many Exchange bugs already known to be exploited, underscoring how quickly this one moved from disclosure to active abuse.
CISA’s advisory emphasized that XSS flaws in enterprise email platforms can be especially dangerous because they may be used to hijack authenticated sessions, steal credentials, or open the door to additional compromise. Microsoft’s update urges customers to enable Exchange Online Mitigation Service protections and follow its guidance while a full fix is prepared. SecurityWeek reported that an anonymous researcher was credited with reporting the flaw.