The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning after threat actors began actively exploiting a critical vulnerability affecting on-premises Microsoft Exchange Server deployments.

The flaw, tracked as CVE-2026-42897, is a spoofing vulnerability tied to a cross-site scripting (XSS) weakness in Outlook Web Access (OWA). Security experts warn that successful exploitation could allow attackers to execute malicious JavaScript through specially crafted emails, potentially leading to credential theft, session hijacking, and broader compromise of enterprise email environments.

## What Is CVE-2026-42897?

According to Microsoft, the vulnerability stems from improper neutralization of input during webpage generation in Exchange Server’s OWA component. Attackers can exploit the issue remotely by sending a malicious email to a targeted user.

If the victim opens the email within Outlook Web Access under certain conditions, the exploit can trigger arbitrary JavaScript execution within the browser session.

Affected versions include:

• ▸Microsoft Exchange Server 2016
• ▸Microsoft Exchange Server 2019
• ▸Microsoft Exchange Server Subscription Edition (SE)

Microsoft assigned the flaw a CVSS severity score of 8.1, classifying it as a high-severity vulnerability.

## CISA Adds Flaw to KEV Catalog

CISA has officially added CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in real-world attacks. Inclusion in the KEV catalog indicates that federal agencies and critical infrastructure operators should prioritize immediate remediation.

The agency’s warning signals a heightened threat level because attackers are already weaponizing the vulnerability before a permanent patch becomes widely available.

## Why Exchange Server Attacks Are Dangerous

Exchange Server remains one of the most targeted enterprise technologies in the world because it handles:

• ▸Corporate communications
• ▸Executive email accounts
• ▸Authentication tokens
• ▸Internal workflows
• ▸Sensitive attachments and documents

Cybercriminals and nation-state actors frequently target Exchange vulnerabilities to gain initial access into enterprise networks.

Security researchers note that once attackers compromise Exchange environments, they often:

• ▸Steal credentials
• ▸Deploy web shells
• ▸Move laterally across networks
• ▸Conduct espionage
• ▸Launch ransomware attacks

The latest warning revives concerns from the massive 2021 Microsoft Exchange attacks that affected thousands of organizations globally.

## Microsoft Releases Temporary Mitigations

Microsoft confirmed active exploitation but has not yet released a permanent security patch for the vulnerability. Instead, the company has urged administrators to immediately enable Exchange Emergency Mitigation Service (EEMS), which can automatically apply temporary protections.

Recommended mitigation steps include:

Enable EEMS

Organizations should ensure Exchange Emergency Mitigation Service is active and functioning properly.

Restrict Outlook Web Access Exposure

Limit internet exposure for OWA interfaces whenever possible.

Monitor Email Activity

Security teams should inspect logs for suspicious emails, JavaScript activity, or unusual authentication behavior.

Apply Security Updates Immediately

Administrators should install any future Microsoft patches as soon as they become available.

Strengthen Email Security

Organizations should deploy advanced email filtering and phishing protections to reduce attack success rates.

## How Attackers Could Exploit the Vulnerability

Researchers say attackers may use socially engineered phishing emails containing specially crafted payloads designed to execute code inside a victim’s browser session.

Potential consequences include:

• ▸Session token theft
• ▸Credential harvesting
• ▸Account impersonation
• ▸Business email compromise (BEC)
• ▸Internal reconnaissance

Because Exchange Server is often deeply integrated into enterprise identity systems, a successful compromise can rapidly escalate into a larger breach.

## Growing Risks for On-Premises Exchange Servers

While many organizations have migrated to cloud-based email platforms, thousands of enterprises still rely on on-premises Exchange infrastructure due to compliance, regulatory, or operational requirements.

Unfortunately, legacy Exchange deployments continue to attract attackers because:

• ▸Internet-facing OWA portals are common
• ▸Patch management delays remain widespread
• ▸Older deployments may lack modern monitoring
• ▸Misconfigurations frequently expose services publicly

Cybersecurity analysts warn that threat actors often scan the internet for vulnerable Exchange systems within hours of vulnerability disclosure.

## Security Community Responds

The cybersecurity industry has reacted quickly to the disclosure. Multiple security firms and threat intelligence platforms have issued alerts advising organizations to prioritize mitigation efforts immediately.

Experts emphasize that organizations should not wait for confirmed indicators of compromise before acting.

Given the history of Exchange-related attacks, defenders are being urged to treat the vulnerability as a high-priority incident response issue.

## Lessons From Previous Exchange Breaches

Microsoft Exchange vulnerabilities have repeatedly played a role in some of the largest cyber incidents in recent years.

The 2021 Exchange Server attacks demonstrated how quickly attackers can weaponize zero-day vulnerabilities to compromise government agencies, universities, healthcare providers, and private companies worldwide.

Those incidents also highlighted critical cybersecurity lessons:

• ▸Rapid patching is essential
• ▸Internet-facing services require constant monitoring
• ▸Email infrastructure remains a prime attack surface
• ▸Supply chain and identity systems are deeply interconnected

The latest exploitation activity suggests that Exchange Server continues to remain a valuable target for cybercriminals and advanced persistent threat (APT) groups alike.

## Conclusion

CISA’s latest warning serves as another reminder that email infrastructure remains one of the most critical and vulnerable components of enterprise cybersecurity.

With active exploitation already underway, organizations using Microsoft Exchange Server should move quickly to implement mitigations, monitor for suspicious activity, and prepare for future security updates.

As attackers continue targeting widely deployed enterprise platforms, proactive vulnerability management and rapid incident response remain essential defenses against large-scale cyber threats.

Read More:

The Mythos Stress Test: Are Indian Banks & Fintechs Ready for AI-Native Cyber Threats?

India Lost ₹52,000 Crore to Cyber Frauds in 5 Years – Govt Tightens Telecom Security

₹152 Crore Cyber Scam Exposed Across 14 States – How Mule Accounts Fueled Massive Fraud

First Public macOS Kernel Exploit on Apple M5 Developed Using Mythos Preview in Just Five Days

SEBI Creates AI Cyber Defense Task Force to Protect India’s Financial Markets

Cybersecurity Agencies Warn Users Against New Digital Fraud Tactics