Microsoft has patched a critical cross-site scripting (XSS) vulnerability in Exchange Server, tracked as CVE-2026-42897, which is being actively exploited in attacks targeting Outlook Web Access. The flaw affects Exchange Server 2016, 2019, and Subscription Edition (SE) and allows remote unauthenticated attackers to execute arbitrary JavaScript by sending specially crafted emails. Users who open such emails in OWA under certain conditions trigger the exploit. Microsoft initially deployed automatic mitigations via the Exchange Emergency Mitigation Service in mid-May, and released permanent security updates on or around June 2026. CISA added the vulnerability to its exploited list on May 15, giving federal agencies until May 29 to patch. Over the past five years, CISA has listed 20 Exchange Server flaws, 14 of which were exploited by ransomware groups. In October, after Exchange 2016 and 2019 reached end-of-support, CISA and NSA issued guidance on hardening Exchange servers. Microsoft urges administrators to install the June 2026 updates as soon as possible and maintain the interim mitigations for layered defense.

Key facts

• CVE-2026-42897 is an actively exploited XSS vulnerability in Exchange Server.
• Affects Exchange Server 2016, 2019, and Subscription Edition (SE).
• Remote unauthenticated attackers can execute JS via crafted emails in OWA.
• Microsoft released permanent patches in June 2026 after temporary mitigations.
• CISA added flaw to exploited list, requiring federal patching by May 29.