Critical Microsoft Exchange Server Flaw Under Active Attack – CVE-2026-42897 Exploited via Malicious Emails
Microsoft has confirmed that a previously undisclosed security vulnerability in its on-premises Exchange Server software is now being actively exploited in the wild. The flaw, tracked as CVE-2026-42897 and assigned a CVSS score of 8.1 (High), allows attackers to launch spoofing attacks through crafted email messages.
According to Microsoft's advisory, the vulnerability originates from a cross-site scripting (XSS) flaw that can be triggered when an Exchange server processes a specially designed email. This enables a remote, unauthenticated attacker to impersonate legitimate users or systems, potentially leading to unauthorized data access or further compromise.
“We are aware of limited, targeted attacks exploiting CVE-2026-42897 against on-premises Exchange servers,” said a spokesperson from the Microsoft Security Response Center (MSRC). “We urge all customers running on-premises Exchange to apply the security update immediately.”
The issue was discovered and reported by an anonymous security researcher who responsibly disclosed it to Microsoft before any public disclosure. The researcher's identity has not been revealed.
Background
Exchange Server has been a frequent target for attackers in recent years. In 2021, the Hafnium group exploited zero-day vulnerabilities to breach thousands of organizations. While cloud-based Exchange Online received updates automatically, on-premises customers often face delays in patching.
CVE-2026-42897 specifically affects on-premises deployments of Microsoft Exchange Server 2016 and 2019. Microsoft has released an out-of-band security update to address the flaw. No mitigations are available for unpatched systems.
Security experts warn that this vulnerability is particularly dangerous because it can be exploited with a single email. “Any Exchange server exposed to the internet is a potential target,” said John Hammond, principal security researcher at Huntress. “Attackers don't need credentials – just a valid email address.”
What This Means
Organizations running on-premises Exchange Server are at immediate risk. The spoofing capability allows attackers to forge trusted domains or employee accounts, enabling phishing campaigns or credential theft.
Microsoft's advisory emphasizes that the vulnerability can be exploited without user interaction. Once an attacker sends a malicious email, the Exchange server processes it, and the XSS payload executes, making detection difficult.
Administrators should prioritize installing the update released in the April 2026 Patch Tuesday rollup. Workarounds include disabling Outlook Web Access (OWA) or blocking certain email attachments, but these are not full solutions.
“This is a race against time,” added Hammond. “Every unpatched server is a ticking bomb. We strongly recommend immediate patching, even if it means scheduling downtime.”
For more technical details, refer to Microsoft's security bulletin. If you suspect compromise, conduct a thorough audit of Exchange logs for unusual login activity or unauthorized mailbox access.
Related Articles
- AI-Driven Vulnerability Discovery: How Enterprises Can Adapt to a Faster Threat Landscape
- Cyberattack on Canvas: What It Means for School Data Security
- Decoding the MuddyWater Masquerade: A Guide to Understanding and Defending Against APT Attacks Disguised as Ransomware
- How to Prevent Insider Threats and Manage Media Disclosures: Lessons from the NSA's Snowden Affair
- Cybersecurity Roundup: Train Hacker Arrest, PamDOORa Backdoor, and CISA Leadership Update
- Ubuntu 16.04 LTS: End of Security Support – What You Need to Know
- 6 Cybersecurity Stories That Flew Under the Radar This Week
- British Hacker 'Tylerb' Pleads Guilty in Multi-Million Dollar Cryptocurrency Theft