Microsoft has revealed a fresh security flaw affecting on-premises Exchange Server installations, which it says is already being actively exploited in real-world attacks. The vulnerability, identified as CVE-2026-42897 (CVSS score: 8.1), is a spoofing issue that originates from a cross-site scripting weakness. An unnamed researcher has been recognized for finding and disclosing the flaw. According to a Thursday advisory from Microsoft, „Improper neutralization of input during web page generation (‚cross-site scripting‘) in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.“ The company, which assessed the vulnerability as „Exploitation Detected,“ explained that an attacker could exploit it by sending a specially crafted email to a victim. When viewed in Outlook Web Access under specific interaction conditions, this could lead to the execution of arbitrary JavaScript code within the browser context. Microsoft added that it is offering interim protection through its Exchange Emergency Mitigation Service while preparing a full patch. The service, which is enabled by default, automatically applies the fix via a URL rewrite configuration. Users should enable the Windows service if it is not already activated. Microsoft has stated that Exchange Online is unaffected by this vulnerability. The following on-premises versions of Exchange Server are impacted: Exchange Server 42897 (any patch level). Exchange Server 2019, regardless of update level. Exchange Server Subscription Edition (SE), at any update level. If the Exchange Emergency Mitigation Service cannot be used because of air-gap restrictions, the company has specified the following sequence of steps:
The Hacker News