Microsoft patches Exchange Server zero-day exploited in attacks

Microsoft has shipped a fix for an actively exploited Exchange Server flaw that lets attackers run arbitrary JavaScript in the browsers of Outlook Web Access users. Tracked as CVE-2026-42897, the high-severity spoofing bug enables cross-site scripting (XSS) attacks and affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE). It can be triggered remotely by attackers who hold no privileges on the targeted system.

According to the Exchange Team, an attacker abuses the weakness by emailing a victim a specially crafted message. If that user opens it in Outlook Web Access and a specific set of interaction conditions is satisfied, malicious JavaScript executes within the browser. Microsoft first addressed the threat in mid-May by pushing an automatic, temporary mitigation through the Exchange Emergency Mitigation Service (EEMS).

The full patch arrived a day before this report, with Microsoft urging administrators to apply the June 2026 Security Updates "as soon as possible" while keeping the earlier mitigation switched on for extra protection. The company said it is continuing to strengthen defenses against XSS attacks and recommended that customers leave the mitigation in place as an additional safeguard while further improvements roll out. Microsoft had not responded to questions about the in-the-wild attacks at the time of writing.

A long-running target for attackers

The U.S. Cybersecurity and Infrastructure Security Agency flagged the bug as exploited in the wild on May 15, adding it to its Known Exploited Vulnerabilities catalog and giving federal agencies until May 29 — a two-week window — to patch. Exchange remains a favorite target: over the past five years, CISA has cataloged 20 exploited Exchange Server vulnerabilities, 14 of which ransomware groups have abused. The pressure on aging deployments is also clear from last October's move, when — weeks after Exchange 2016 and 2019 reached end of support — CISA and the National Security Agency issued guidance on hardening Exchange servers against attack.