In June 2026 Microsoft patched an Exchange Server flaw, CVE-2026-42897, that was already being used in attacks before the final fix shipped. The bug sits in Outlook Web Access (OWA), the webmail interface, and is tracked as a spoofing vulnerability that leads to cross-site scripting.
What actually goes wrong
The attack is simple, which is part of why it matters. A remote, unauthenticated attacker sends a specially crafted email. If the victim opens that message in OWA and certain interaction conditions are met, arbitrary JavaScript runs in the browser context. The recipient does not need to be an administrator or hold any special privilege. Using the webmail is enough.
Running JavaScript inside someone’s OWA session opens the door to stealing session tokens, reading mail, impersonating the user within the interface, or chaining the flaw with others to reach further. Microsoft rated it High severity.
Who is affected
The problem touches the versions still under support:
- Exchange Server 2016
- Exchange Server 2019
- Exchange Server Subscription Edition (SE)
In other words, any organization running its own on-premise Exchange with OWA exposed. Mailboxes on Exchange Online (Microsoft 365) follow a separate update path managed by Microsoft.
Why the zero-day status matters
The important part is not just the bug class. Exploitation was seen in the wild before a patch existed. In mid-May Microsoft pushed an automatic temporary mitigation through the Exchange Emergency Mitigation Service (EEMS), the mechanism that deploys countermeasures to Exchange servers without waiting for the full update. CISA added CVE-2026-42897 to its Known Exploited Vulnerabilities catalog on May 15, 2026, and gave U.S. federal agencies 14 days to fix it. The definitive security updates landed in June.
Exchange has a long track record here. It is one of the products with the most entries in CISA’s KEV catalog, and several of those flaws have ended up as ammunition for ransomware crews.
What to do
Microsoft’s advice is direct: install the June 2026 Security Updates for your version of Exchange as soon as you can. In the meantime, keep the EEMS mitigations active as an extra layer. If you run your own Exchange, check that the emergency mitigation service is enabled, since that is what has been holding the attack back ahead of the patch.
If you manage Windows Server infrastructure, June 2026 was a heavy month: this Exchange fix shipped alongside the record Patch Tuesday with nearly 200 CVEs, so plan the full rollout rather than patching this one in isolation.
Source
- BleepingComputer: Microsoft patches Exchange Server zero-day exploited in attacks
- NVD: CVE-2026-42897