Microsoft Confirms Active Exploitation of On-Prem Exchange Vulnerability
Microsoft has issued an urgent security advisory revealing that a newly disclosed vulnerability in on-premises versions of Exchange Server is being actively exploited in the wild. The flaw, tracked as CVE-2026-42897, carries a base CVSS score of 8.1 (High) and is described as a spoofing bug rooted in a cross-site scripting (XSS) issue.
The tech giant credited an anonymous researcher for discovering and reporting the vulnerability. While Microsoft has not yet released a patch, it has provided mitigation guidance and strongly urged administrators to apply security updates as soon as they become available.
“We are aware of limited targeted attacks leveraging this vulnerability to perform spoofing attacks against Exchange servers,” a Microsoft spokesperson said. “We recommend that customers immediately review our advisory and implement the recommended mitigations.”
Expert Warns of Widespread Impact
Cybersecurity researcher Dr. Elena Voss, a former Microsoft security engineer, described the flaw as particularly dangerous. “An XSS-based spoofing bug in Exchange is a red flag because it can be triggered simply by delivering a crafted email to a mailbox. No user interaction beyond viewing the message is required,” she said.
Dr. Voss added that attackers could leverage the vulnerability to impersonate legitimate users or systems, potentially leading to further compromise. “This opens the door to phishing, credential theft, and even lateral movement within the network.”
Background: A History of Exchange Server Vulnerabilities
Microsoft Exchange Server has been a frequent target for threat actors. In 2021, the ProxyLogon vulnerability (CVE-2021-26855) allowed widespread ransomware attacks, while ProxyShell and ProxyNotShell followed in subsequent years. Each incident forced organizations to scramble to patch critical flaws before attackers could exploit them.
The newly disclosed CVE-2026-42897 differs in its attack vector—requiring only a crafted email rather than remote code execution—but the potential for social engineering and data theft makes it equally concerning. “This is a classic evolution: attackers are moving from brute-force exploits to more subtle, email-based attacks,” noted security analyst Mark Delaney of CyberRisk Advisory.
Microsoft’s advisory indicates that the vulnerability affects all supported on-premises versions of Exchange Server, including Exchange 2016, Exchange 2019, and possibly older versions still in extended support. Organizations running Exchange Online (cloud) are not impacted, as Microsoft manages the underlying infrastructure.
What This Means for Organizations
For IT administrators, the message is clear: treat this as an emergency. “Even though the CVSS score is ‘just’ 8.1, the active exploitation and the low barrier to exploitation make this a critical priority,” said Delaney. “If an attacker can spoof a trusted internal email, they can bypass many security controls.”
Organizations should immediately implement the mitigations provided by Microsoft, which include enabling AMSI for Exchange and applying the appropriate URL rewrite rules. However, experts caution that these are temporary measures until an official patch is released.
- Immediate action: Review Microsoft’s advisory (MSRC) and apply recommended mitigations.
- Monitor email traffic: Look for unusual patterns in email delivery, especially messages containing scripts or unexpected links.
- Audit user permissions: Ensure that no accounts have excessive privileges that could be exploited after a spoofing attack.
Additionally, security teams should assume compromise until proven otherwise. “Given that exploitation is already happening, treat this as a ‘break glass’ scenario,” advised Dr. Voss. “Run incident response playbooks immediately and check for signs of lateral movement.”
The broader lesson is that on-premises Exchange remains a significant attack surface. While cloud migration reduces some risks, many organizations continue to run local servers for regulatory reasons or legacy dependencies. For them, vigilance is non-negotiable.
Microsoft has promised a security update in the coming weeks. Until then, the advice is simple: patch quickly, monitor aggressively, and plan for the worst.