Microsoft flags Exchange zero-day under attack as admins await patch

Microsoft said on Friday that a high-severity Exchange Server flaw, CVE-2026-42897 was being exploited in the wild, putting pressure on organizations still running the software on premises. Administrators are being told to apply mitigations immediately while they wait for a broader fix. The affected versions are Exchange 2016, Exchange 2019 and Exchange Subscription Edition.

“Using EM Service is the best way for your organization to mitigate this vulnerability right away,” the Microsoft Exchange Team told customers in published guidance. The company was not describing a theoretical weakness. It was telling administrators to move.

The flaw involves Outlook Web Access spoofing and cross-site scripting. BleepingComputer reported that, under certain interaction conditions, opening a malicious email in Outlook Web Access could allow arbitrary JavaScript to run in the browser context. For security teams, that means a single message can become a route into an employee session on an internet-facing webmail system.

The National Vulnerability Database lists a CVSS 3.1 base score of 8.1 for the issue, and SecurityWeek confirmed the zero-day was under active exploitation. That raised the stakes for companies still running Exchange in-house rather than through Microsoft’s cloud email service.

The materials cited by the security reports centered on immediate defensive steps, not a final patch timeline. For administrators, the next moves are practical: deploy Microsoft’s mitigations, review Outlook Web Access exposure and watch for further guidance on a permanent fix.