Microsoft has confirmed that attackers are actively exploiting a new Exchange Server zero-day, CVE-2026-42897, which carries a CVSS score of 8.1. The flaw is a cross-site scripting (improper neutralization of input during web page generation) issue in Exchange Server that lets an unauthorized attacker carry out spoofing over a network.

According to Microsoft's advisory, the weakness affects Outlook Web Access. An attacker can send a specially crafted email that runs malicious JavaScript when it is opened in OWA under certain conditions. Microsoft says it has observed exploitation in the wild but has not shared details of the attacks. With no permanent fix yet available, the company has issued temporary mitigations and is urging administrators to apply them immediately.

The zero-day surfaced just two days after Microsoft's May 2026 Patch Tuesday, which addressed 138 vulnerabilities. Exchange flaws are especially dangerous because the platform sits at the center of corporate email; many on-premises servers are internet-facing, and a browser-triggerable bug means a simple phishing-style message can be enough to run code in a victim's session.

Once inside Exchange, attackers can read mail and attachments, steal credentials, reset passwords, pivot to other systems, and maintain long-term access through mail rules or tokens — which is why such bugs are routinely abused in both espionage and ransomware campaigns. In April, CISA added an earlier Exchange deserialization flaw, CVE-2023-21529, to its KEV catalog.