Cross-site scripting flaw in on-premise Exchange servers enables spoofing attacks via crafted emails.
- Microsoft disclosed CVE-2026-42897, a spoofing vulnerability in on-premise Exchange Server with CVSS score 8.1
- The flaw stems from cross-site scripting and is being actively exploited in the wild
- Anonymous researcher credited with discovering and reporting the vulnerability
Microsoft has disclosed a new security vulnerability affecting on-premise Exchange Server installations that is being actively exploited by attackers.
The vulnerability, designated CVE-2026-42897, carries a CVSS severity score of 8.1 and has been classified as a spoofing vulnerability. The flaw originates from a cross-site scripting issue within Exchange Server’s code.
According to Microsoft’s disclosure, attackers can exploit this vulnerability through crafted email messages sent to vulnerable Exchange servers. The spoofing nature of the vulnerability suggests attackers could potentially impersonate legitimate users or systems.
An anonymous security researcher has been credited with discovering and reporting the vulnerability to Microsoft through responsible disclosure channels.
The vulnerability specifically impacts on-premise deployments of Microsoft Exchange Server. Microsoft has not provided details about which specific versions are affected or whether Exchange Online customers face any risk.
Active exploitation in the wild indicates that threat actors are already leveraging this vulnerability against vulnerable Exchange Server installations. This suggests organisations running on-premise Exchange servers face immediate risk if they have not applied available security updates.
Why It Matters
Exchange Server vulnerabilities present significant risks to enterprise communications infrastructure and have historically been high-value targets for advanced persistent threat groups. The spoofing capability combined with email-based exploitation creates potential for business email compromise attacks and credential harvesting campaigns.
With active exploitation already confirmed, CISOs must treat this as an urgent patching priority for any on-premise Exchange deployments in their environment.
What To Do Now
- Identify all on-premise Exchange Server installations in your environment and assess their current patch status
- Monitor Microsoft Security Update Guide for specific patch releases addressing CVE-2026-42897
- Review email security controls and monitoring for potential exploitation attempts targeting Exchange infrastructure
