A critical zero-day flaw in Microsoft Exchange is being actively exploited right now, and there is still no fix in sight. The vulnerability, tracked as CVE-2026-42897, silently targets Outlook Web Access users and can hand attackers full control over your email mailbox. Days after Microsoft’s disclosure, millions of users remain exposed and waiting.
What This Exchange Zero-Day Actually Does
Microsoft disclosed CVE-2026-42897 on Thursday, May 14, just two days after a major Patch Tuesday release that ironically contained no zero-days at all.
The flaw lives inside Exchange’s Outlook Web Access interface and stems from a cross-site scripting (XSS) vulnerability. An attacker exploits it by sending a specially crafted email directly to a target.
If the victim opens that email inside Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript code executes silently in their browser with no visible warning whatsoever.
Microsoft’s own advisory confirmed the flaw enables “spoofing attacks” by an unauthorized attacker operating over a network. The Cybersecurity and Infrastructure Security Agency (CISA) moved quickly, adding CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) catalog just one day after Microsoft went public with the disclosure.
Who Is at Risk and How Serious Is It
The vulnerability directly affects organizations running on-premise versions of Microsoft Exchange. Three specific versions are in the crosshairs:
- Exchange Server 2016
- Exchange Server 2019
- Exchange Server Subscription Edition (SE)
Microsoft assigned CVE-2026-42897 a CVSS score of 8.1, placing it firmly in the high-severity category. The National Vulnerability Database maintained by NIST scored it lower at 6.1, labeling it a medium-severity issue.
That scoring gap has already sparked real debate inside the security community about just how seriously organizations should treat this threat.
Belgium’s Centre for Cybersecurity published an advisory warning that a successful exploit can give an attacker access to a victim’s full Outlook mailbox and active session tokens. It can also allow attackers to make unauthorized changes to mailbox settings and even alter the actual content of emails flowing in and out of the compromised account.
Why This XSS Bug Is More Dangerous Than It Looks
Cross-site scripting vulnerabilities often get dismissed as low-level threats. Security insiders sometimes call them “junior” bugs, not worth the same urgency as other flaws.
Bogdan Tiron, founder of penetration testing firm Fortbridge, challenged that view directly in a LinkedIn post published this week.
“The impact isn’t server compromise. It’s mailbox compromise, reading mail, sending emails as the victim, stealing session tokens, planting forwarding rules that survive password resets.” – Bogdan Tiron, Founder, Fortbridge
That last detail is what makes this vulnerability especially alarming. Attackers can plant forwarding rules that survive a full password reset, meaning a victim cannot cut off the attacker’s access simply by changing their credentials.
Tiron also warned that XSS “still owns enterprise mail in 2026,” pointing out that attackers keep returning to these so-called boring vulnerabilities because they simply keep working. A compromised mailbox rarely stays contained to just one inbox.
Security researchers stress that a successful exploit of CVE-2026-42897 can serve as the launchpad for business email compromise (BEC) scams or even ransomware deployment across an entire corporate network. The damage potential goes far beyond one person’s email account.
How to Protect Your Systems Right Now
Microsoft has not provided any timeline for when a full security patch will arrive. The company confirmed only that a security update is in development and will be deployed “in the future.”
While organizations wait, Microsoft has offered two mitigation options:
| Mitigation Option | How It Works | Best For |
|---|---|---|
| Exchange Emergency Mitigation (EM) Service | Automatically applies protection for Exchange Server 2016, 2019, and SE instances | Organizations with EM Service enabled (Microsoft’s top recommendation) |
| Exchange On-premises Mitigation Tool (EOMT) | Manual download and script execution via Exchange Management Shell | Organizations without EM Service currently enabled |
The Exchange Emergency Mitigation Service has existed since 2021 and is enabled by default on supported systems. Microsoft is urging any organization that has disabled the EM Service to re-enable it immediately as their first and most important action.
Both mitigation options come with a catch. Microsoft confirmed they cause disruptions to OWA Print Calendar functionality and OWA light mode, among other smaller issues. IT teams will need to weigh those disruptions carefully against the very real threat of active exploitation happening right now.
Security teams should also audit their entire Exchange environment for suspicious mailbox forwarding rules today. Since attackers can embed rules that outlast password resets, simply applying mitigations later may not be enough to fully recover from a compromise that already happened.
The fact that CISA placed this vulnerability on its KEV catalog sends a clear message to federal agencies and critical infrastructure operators. This is not a wait-and-see situation. Every hour of inaction is an open window for attackers.
CVE-2026-42897 is a hard reminder that even a routine-looking XSS bug can carry devastating consequences when it lands inside enterprise email systems at this scale. With real attacks already underway, no patch on the calendar, and millions of mailboxes sitting exposed, every IT and security team running on-premise Exchange needs to act today. Enable the EM Service, run the EOMT where needed, and go through your mailbox forwarding rules right now. The next compromised inbox could be inside your own organization. What steps is your security team taking to protect your Exchange environment? Share your thoughts in the comments below and make sure your colleagues know about this threat.
