Microsoft has disclosed CVE-2026-42897, a zero-day affecting Exchange Server Subscription Edition, 2016, and 2019, after it was observed in attacks. The flaw impacts Outlook Web Access and may allow spoofing and arbitrary JavaScript execution if a targeted user opens a specially crafted email, while Microsoft has released mitigation guidance pending a permanent fix. #MicrosoftExchangeServer #CVE-2026-42897 #OutlookWebAccess
Keypoints
- Microsoft Exchange Server zero-day CVE-2026-42897 has been disclosed after reported exploitation.
- The flaw affects Exchange Server Subscription Edition, 2016, and 2019.
- It involves spoofing and cross-site scripting in Outlook Web Access.
- Attackers can trigger it through a specially crafted email.
- Microsoft has provided mitigation steps while a permanent patch is developed.
Read More: https://www.securityweek.com/microsoft-warns-of-exchange-server-zero-day-exploited-in-the-wild/