An exploit in on-premises Microsoft Exchange servers has already been used in active attacks. (Graphic: Nicola Mawson | Pixabay)
A vulnerability in Microsoft Exchange, allowing hackers to execute malicious code through specially crafted e-mails opened in Outlook Web Access, is a serious and urgent threat as it is already being actively exploited while no permanent patch yet exists.
This is according to cyber security specialists, who warn that organisations running on-premises Exchange environments remain exposed and can currently do little more than aggressively mitigate risk, while waiting for Microsoft to release a permanent fix.
The vulnerability is the result of an “improper neutralisation of input during web page generation” – a cross-site scripting flaw in Microsoft Exchange Server that could allow an unauthorised attacker to carry out spoofing attacks over a network.
Spoofing allows an attacker to impersonate a trusted source – in this case, by sending a specially crafted e-mail that, once opened in Outlook Web Access (OWA), executes arbitrary JavaScript code within the victim’s browser session under certain interaction conditions.
The vulnerability is particularly significant given Microsoft Exchange’s dominance in the enterprise e-mail market, says Mark Walker, director at technology consultancy T4i.
“Microsoft on-prem Exchange Server plus Exchange Online 365 accounts for approximately 70% of the global corporate and enterprise e-mail market. This is a serious vulnerability as it can disrupt corporate IT security via an unauthorised spoofing attack over a network,” Walker says.
Microsoft disclosed the vulnerability, tracked as CVE-2026-42897, on 14 May. The flaw affects all supported versions of on-premises Exchange Server: Exchange Server 2016, Exchange Server 2019 and Exchange Server Subscription Edition.
Jason Jordaan, principal forensic scientist at DFIR Labs, says the exploit allows attackers to compromise on-premises Microsoft Exchange servers and has already been used in active attacks.
Microsoft has released four security updates for its Exchange Server.
“How bad is it? Well, bad enough for US Cybersecurity and Infrastructure Security Agency (CISA) to basically release an alert on it. Obviously, they’re seeing it in extensive use in the wild,” says Jordaan. E-mail remains one of the most common attack vectors, he adds.
CISA added CVE-2026-42897 to its known exploited vulnerabilities catalogue on 15 May, noting the vulnerability allows arbitrary JavaScript execution within Outlook Web Access browser sessions under certain conditions.
Jacqui Muller, a researcher at Belgium Campus iTversity and a PhD candidate in computer science, says the combination of active exploitation and the absence of a permanent patch significantly increases the risk profile.
“The fact that the vulnerability is already being actively exploited, combined with the absence of a permanent patch at this stage, significantly increases the risk profile,” Muller says.
Jordaan notes that while the vulnerability is serious, it is limited to on-premises Exchange deployments and does not appear to affect organisations using Microsoft 365 cloud-based Exchange services.
“Is it serious? Yes, as any exploit of this nature is serious. But is it manageable? Yes, organisations need to mitigate the risks as soon as possible and patch where set up,” Jordaan says.
Microsoft also warned that users accessing OWA through Internet Explorer or Microsoft Edge Internet Explorer Mode are not protected because content security policy protections are not supported in those browsers.
Muller notes that organisations using on-premises Exchange should treat the vulnerability as a priority security incident and implement mitigations immediately. “There’s no conclusive right way to avoid a hack at the moment. It’s about mitigating risk as far as possible.”
Microsoft says organisations running affected on-premises Exchange environments should immediately enable the Exchange Emergency Mitigation Service, which is enabled by default and can automatically apply temporary protections while a permanent fix is being developed.
CISA has added the Microsoft zero-day breach to its list of known vulnerabilities.
According to Linda Morris, director of Smart Technology Centre, remote monitoring and management tools play a critical role in ensuring organisations can rapidly apply mitigations, maintain patching posture and retain visibility across their environments.
“This highlights a broader industry challenge in that many organisations are still running on-premises Exchange without sufficient visibility or automated mitigation capabilities,” she says.
“It’s no longer just about patching; it’s about readiness, response and ensuring your environment can absorb zero-day events without material impact to the business.”
Walker says the nature of zero-day attacks means there is little time for vendors and customers to mitigate threats before exploitation begins. “Risk to the user remains until a permanent patch is built and applied. The rise of AI-powered hacking tools is intensifying the challenge facing defenders.”
A zero-day vulnerability is one that is actively exploited before the software vendor has had the opportunity to develop and release a permanent fix.
“There is a constant game of ‘whack-a-mole’ playing out between corporate cyber defence and bad actors,” says Walker. “Attackers only need find a single exploit, while defenders must protect on many threat fronts across multiple systems.”
