The Bottom Line: An actively exploited XSS vulnerability in Exchange OWA is being patched for current versions but remains unfixed for Exchange 2016/2019 without paid Extended Support.
An actively exploited Cross-Site Scripting vulnerability in Microsoft Exchange OWA enables attacks via email. While current versions are being patched, organizations running Exchange 2016 and 2019 must pay for a security update or resort to mitigation measures.
A security vulnerability in Microsoft Exchange’s Outlook Web Access (OWA) allows attackers to inject malicious scripts that execute on the recipient’s side. Microsoft’s security team has confirmed that the vulnerability is already being exploited in active attacks and classifies it as a zero-day.
The update has been released for current Exchange versions. However, for organizations operating Exchange Server 2016 or 2019, Microsoft does not provide the patch automatically through standard support channels. Instead, a paid Extended Support arrangement is required to obtain the fix. This particularly affects companies whose support contracts are expiring or those who have not migrated to newer versions.
As immediate countermeasures, Microsoft recommends restricting OWA access to necessary IP addresses and strengthening strict authentication mechanisms. The vulnerability exploits an XSS vector that allows attackers to hijack session tokens or inject malware into the email workflow. CISOs should shortly review which Exchange versions are running in their infrastructure and schedule the necessary updates or—if not possible—immediately implement the recommended mitigation measures.
The situation highlights a widespread risk: many organizations operate older Exchange versions beyond their standard support phase. NIS2 requirements for vulnerability management and incident readiness make fast patch processes a requirement, not just from a security but also from a compliance perspective.
Source: www.golem.de · Published 20 June 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.7.1.