[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fVBgsPQ0QnBoRqGQ89tX5tUUv1u_WWraLIo6RwH9w6fc":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"f875f3c5-af20-4d63-a74f-2cb621294b65","On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email","on-prem-microsoft-exchange-server-cve-2026-42897-exploited-via-crafted-email-813d5d","Microsoft has disclosed a new security vulnerability impacting on-premise versions of Exchange Server that it said has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-42897 (CVSS score: 8.1), has been described as a spoofing bug stemming from a cross-site scripting flaw. An anonymous researcher has been credited with discovering and reporting the issue. \"","Microsoft disclosed CVE-2026-42897, a critical cross-site scripting vulnerability in on-premises Exchange Server versions (2016, 2019, and Subscription Edition) that is actively being exploited in the wild. The flaw allows attackers to send crafted emails that execute arbitrary JavaScript in Outlook Web Access when opened under certain conditions. Microsoft has provided temporary mitigation via the Exchange Emergency Mitigation Service and a mitigation tool, with a permanent patch forthcoming.","Microsoft Exchange Server CVE-2026-42897 XSS flaw actively exploited via crafted emails.","On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Ravie LakshmananMay 15, 2026Microsoft \u002F Vulnerability Microsoft has disclosed a new security vulnerability impacting on-premise versions of Exchange Server that it said has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-42897 (CVSS score: 8.1), has been described as a spoofing bug stemming from a cross-site scripting flaw. An anonymous researcher has been credited with discovering and reporting the issue. \"Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network,\" the tech giant said in a Thursday advisory. Microsoft, which tagged the vulnerability with an \"Exploitation Detected\" assessment, said an attacker could weaponize it by sending a crafted email to a user, which, when opened in Outlook Web Access and subject to other \"certain interaction conditions,\" can allow arbitrary JavaScript code to be executed in the context of the web browser. Redmond also noted that it's providing a temporary mitigation through its Exchange Emergency Mitigation Service, while it's readying a permanent fix for the security defect. The Exchange Emergency Mitigation Service will provide the mitigation automatically via a URL rewrite configuration, and is enabled by default. If it's not on, users are advised to enable the Windows service. According to Microsoft, Exchange Online is not impacted by this vulnerability. The following on-premises Exchange Server versions are affected - Exchange Server 2016 (any update level) Exchange Server 2019 (any update level) Exchange Server Subscription Edition (SE) (any update level) If using the Exchange Emergency Mitigation Service is not an option due to air-gap restrictions, the company has outlined the following series of actions - Download the latest version of the Exchange on-premises Mitigation Tool (EOMT) from aka[.]ms\u002FUnifiedEOMT. Apply the mitigation on a per-server basis or on all servers at once by running the script via an elevated Exchange Management Shell (EMS): Single server: .\\EOMT.ps1 -CVE \"CVE-2026-42897\" All servers: Get-ExchangeServer | Where-Object { $_.ServerRole -ne \"Edge\" } | .\\EOMT.ps1 -CVE \"CVE-2026-42897\" Microsoft said it's also aware of a known issue where the mitigation shows the \"Mitigation invalid for this exchange version.\" in the Description field. \"This issue is cosmetic and the mitigation DOES apply successfully if the status is shown as 'Applied,'\" the Exchange Team said. \"We are investigating on how to address this.\" There are currently no details on how the vulnerability is being exploited, the identity of the threat actor behind the activity, or the scale of such efforts. It's also unclear who the targets are and if any of those attacks were successful. In the interim, it's recommended to apply the mitigations recommended by Microsoft. Update The U.S.Cybersecurity and Infrastructure Security Agency (CISA), on May 15, 2026, added CVE-2026-42897 Mi to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the necessary mitigations by May 29, 2026. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Cross-site Scripting, cybersecurity, Exchange Server, Microsoft, Outlook, Vulnerability ⚡ Top Stories This Week Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation ⭐ Featured Resources [Webinar] Learn How to Handle Critical SOC Alerts With AI Support Identify Internal Attack Surfaces More Efficiently With a Free Assessment [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fon-prem-microsoft-exchange-server-cve.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEirN79ZRjEd5wnVbOTlJJsWjQ54cwSj2bM5NDzBSgAFO8f_9LrlIwQRI0ZogQX42iejmhgc1n2YcA91pFrVqtqNKKyAIXblcQ1Yx9LTs1TeNDbNN6JMUBXCKDK1W0IwnwvYl1dhQmcyTPHwakckKT_Kc9fAUDAJRj94g2pENrjy4UyTCCniOXI2rO-q66PC\u002Fs1600\u002FMicrosoft-Exchange.png","2026-05-15T06:19:04+00:00","2026-05-15T08:00:15.337811+00:00",9,[18,21,24,26,28,30],{"name":19,"type":20},"Microsoft","vendor",{"name":22,"type":23},"Exchange Server 2016","product",{"name":25,"type":23},"Exchange Server 2019",{"name":27,"type":23},"Exchange Server Subscription Edition",{"name":29,"type":23},"Outlook Web Access",{"name":31,"type":32},"Cross-Site Scripting (XSS)","technology","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":33,"icon":35,"name":36,"slug":37},null,"Vulnerabilities","vulnerabilities",[39],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",[45],{"type":46,"value":47,"context":48},"cve","CVE-2026-42897","Cross-site scripting vulnerability in Microsoft Exchange Server allowing spoofing via crafted email, CVSS 8.1, actively exploited"]