430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

CVE-2026-42897: Microsoft confirms active exploitation of Exchange Server zero-day

Microsoft warned that attackers are exploiting a new Exchange Server zero-day vulnerability, tracked as CVE-2026-42897, in the wild. Microsoft warned that threat actors are actively exploiting a new Exchange Server zero-day vulnerability tracked as CVE-2026-42897 (CVSS score 8.1). The vulnerability is an improper neutralization of input during web page generation (‘cross-site scripting’) in Microsoft Exchange […]

Microsoft YellowKey

Microsoft warned that attackers are exploiting a new Exchange Server zero-day vulnerability, tracked as CVE-2026-42897, in the wild.

Microsoft warned that threat actors are actively exploiting a new Exchange Server zero-day vulnerability tracked as CVE-2026-42897 (CVSS score 8.1).

The vulnerability is an improper neutralization of input during web page generation (‘cross-site scripting’) in Microsoft Exchange Server. An attacker can exploit the flaw to perform spoofing over a network.

“Improper neutralization of input during web page generation (‘cross-site scripting’) in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.” reads the advisory.

Microsoft warned that the Exchange Server zero-day affects Outlook Web Access (OWA). Attackers can exploit the flaw by sending a specially crafted email that executes malicious JavaScript when opened in Outlook Web Access under certain conditions.

Microsoft confirmed it had detected active exploitation of CVE-2026-42897 in the wild; however, it has not disclosed details about any attacks exploiting the issue.

Until a permanent security update becomes available, Microsoft has released temporary mitigation measures and urged administrators to apply them immediately to reduce exposure to attacks.

The flaw surfaced just two days after Microsoft’s Patch Tuesday for May 2026 updates, which patched 138 vulnerabilities.

Exchange Server zero-days are dangerous because they sit at the center of corporate email, one of the most sensitive and widely used systems in any organization.

Upon exploiting Microsoft Exchange Server flaws, attackers often get a direct path into internal communications, credentials, and business workflows.

A key reason they’re high risk is exposure. Many Exchange servers, especially on-premises deployments, are internet-facing. A zero-day means attackers can exploit the flaw before a patch exists, leaving defenders with no direct fix, only temporary mitigations.

OWA (Outlook Web Access) makes things worse. If a vulnerability works through the browser, attackers can use simple phishing-style emails to trigger it. In some cases, just opening an email in Outlook on the web can be enough to run malicious code in the user’s session.

Once attackers compromise Exchange, attackers can access emails and attachments, steal credentials, reset passwords, move into other systems, and maintain long-term access using mail rules or tokens.

Finally, Exchange zero-days are frequently targeted in cyber espionage campaigns and ransomware campaigns because they provide high-value access with relatively low noise.

In April, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability, tracked as CVE-2023-21529, to its Known Exploited Vulnerabilities (KEV) catalog.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Exchange Server)