Introduction
Microsoft has confirmed that a critical security flaw in its on-premises Exchange Server is now being actively exploited by threat actors. The vulnerability, cataloged as CVE-2026-42897, carries a CVSS score of 8.1, marking it as high severity. This issue affects organizations running local (on-prem) instances of Exchange and enables attackers to launch spoofing attacks via a cross-site scripting (XSS) mechanism. An anonymous security researcher discovered and reported the flaw, leading to Microsoft’s disclosure. In this article, we break down the nature of the vulnerability, how it can be exploited, and the steps administrators should take to protect their environments.
Understanding CVE-2026-42897
The Nature of the Vulnerability
CVE-2026-42897 is classified as a spoofing vulnerability that originates from an improper handling of input, leading to XSS. In essence, an authenticated attacker—or even an external actor who can send crafted emails to a mailbox—can inject malicious script code into Exchange Server pages viewed by other users. When the targeted user interacts with the compromised page, the injected script can execute in the context of their session. This can allow the attacker to impersonate the victim, steal authentication tokens, modify account settings, or perform actions on behalf of the user without consent.
CVSS Score and Impact
With a CVSS v3.1 base score of 8.1, this vulnerability is rated high. The vector string indicates network attack vector, low attack complexity, low privileges required, and no user interaction for exploitation (though user interaction is required for the XSS part). The scope may change, meaning the compromised component impacts assets beyond its original security boundary. The impacts on confidentiality, integrity, and availability are rated as high for confidentiality and integrity, while availability is not affected. This makes the flaw particularly dangerous for organizations handling sensitive communications.
How the Attack Works
Exploitation via Crafted Emails
According to Microsoft’s advisory, the exploitation begins when an attacker sends a specially crafted email to an Exchange Server mailbox. The email contains malicious payloads that exploit the XSS flaw. When the email is opened or previewed using a web browser through Outlook on the web (OWA) or the Exchange Admin Center, the malicious script is rendered. The attacker does not need any elevated privileges to send the email; they only require the ability to deliver a message to the target server. Once the script executes, it can harvest cookies, impersonate the user, or perform other actions within the Exchange environment.
What Makes It Dangerous
Several factors elevate the risk. First, the vulnerability has been observed under active exploitation in the wild, meaning real attackers are using it to breach systems. Second, because Exchange Server often acts as a central point for an organization’s email, calendar, and contacts, a successful attack can expose vast amounts of business-critical data. Third, the lack of user interaction required for the initial email delivery—though user interaction is needed for the XSS to trigger—means that a single unsuspecting user can become the entry point for a wider compromise. Additionally, the spoofing capability allows attackers to pivot within the network, potentially moving to other systems.
Response and Mitigation
Microsoft’s Advisory
Microsoft released a security update addressing CVE-2026-42897 as part of its monthly patch cycle. The update is available for all supported versions of on-premises Exchange Server, including Exchange 2016, Exchange 2019, and possibly earlier versions if they are within extended support. The advisory urges administrators to apply the patch immediately, as exploitation is already occurring. Microsoft also credited an anonymous researcher for responsibly disclosing the issue.
Recommended Actions
To protect your Exchange environment, follow these steps:
- Apply the latest cumulative update (CU) or security hotfix provided by Microsoft for your Exchange version. Check the Microsoft Security Response Center (MSRC) for the exact KB number.
- Enable advanced threat protection for email, such as Microsoft Defender for Office 365, to help detect and block crafted emails before they reach mailboxes.
- Restrict email access to trusted users and enforce multi-factor authentication (MFA) for all accounts, especially administrative accounts.
- Audit logs for unusual activity including unexpected script execution or authentication anomalies in OWA and Exchange Admin Center.
- Educate users to avoid clicking on suspicious links or opening unexpected emails, even if they appear to come from internal senders.
- Monitor advisory updates from Microsoft’s Security Response Center for any additional guidance or workarounds.
Conclusion
CVE-2026-42897 represents a serious threat to organizations that rely on on-premises Microsoft Exchange Server. With active exploitation already underway, delay in patching can lead to data breaches, account takeovers, and further network compromise. By understanding the nature of the XSS-based spoofing flaw and implementing the recommended mitigations, IT administrators can reduce the risk. Stay proactive: apply patches promptly, monitor your systems, and keep security awareness high across the organization.