All stories
highAPT / Nation-State

Microsoft Fixes Critical XSS Flaw in Exchange Server Actively Exploited by Threat Actors

Microsoft has patched an actively exploited vulnerability in Exchange Server that allows threat actors to execute arbitrary JavaScript code via cross-site scripting (XSS) attacks. This high-severity flaw affects Exchange Server 2016, 2019, and Subscription Edition, potentially allowing attackers to compromise Outlook Web Access users without needing privileges. Administrators are urged to apply the June 2026 security updates immediately and maintain existing mitigations for enhanced protection.

Harith Dilshan·Jun 10, 2026·3 min read·Primary source

Summary

Microsoft has addressed a critical vulnerability in its Exchange Server software that was actively exploited by threat actors. This zero-day flaw, identified as CVE-2026-42897, enables attackers to execute arbitrary JavaScript code through cross-site scripting (XSS) attacks targeting Outlook Web Access users. The vulnerability affects Exchange Server 2016, 2019, and Subscription Edition, posing a significant risk even without requiring attacker privileges. Microsoft has issued security updates to mitigate this threat and advises administrators to deploy these patches promptly while maintaining existing mitigations for continued protection.

What Happened

The flaw in question allows remote attackers to exploit the Exchange Server by sending specially crafted emails to users. If a user opens such an email within Outlook Web Access under specific conditions, arbitrary JavaScript can be executed within their browser context. This vulnerability was actively exploited before Microsoft rolled out automatic temporary mitigation through the Exchange Emergency Mitigation Service (EEMS) in mid-May.

The urgency of this situation is underscored by the Cybersecurity and Infrastructure Security Agency (CISA), which added CVE-2026-42897 to its list of security flaws known to be exploited in the wild on May 15. CISA has mandated U.S. government agencies to patch their servers within two weeks, highlighting the vulnerability's critical nature.

Affected Products and Fixed Versions

The vulnerability affects several versions of Microsoft Exchange Server:

  • Exchange Server 2016
  • Exchange Server 2019
  • Exchange Server Subscription Edition (SE)

Microsoft has released security updates for these versions as part of its June 2026 Patch Tuesday. Administrators are strongly advised to apply these updates immediately to protect against the vulnerability.

Exploitation Status

The flaw was actively exploited, prompting Microsoft and CISA to take swift action. The Exchange Team deployed temporary mitigations through EEMS mid-May, followed by permanent patches in the latest security update cycle. This rapid response reflects the severity of the threat posed by this vulnerability.

Detection Opportunities

Security teams are encouraged to test their defenses rigorously against such vulnerabilities. Microsoft has emphasized enhancing protections for cross-site scripting attacks and recommends keeping existing mitigations in place while awaiting further improvements. Organizations should ensure that their detection systems, including SIEM and EDR tools, are capable of identifying attempts to exploit this vulnerability.

Why This Matters for Defenders

This incident highlights the critical need for timely patch management and robust monitoring practices. With 54% of successful attacks going undetected by security teams, it is imperative to test every layer of defense proactively. The exploitation of CVE-2026-42897 underscores the importance of staying ahead of threat actors who continuously seek out unpatched vulnerabilities.

Defender Guidance

  1. Apply Security Updates: Deploy the June 2026 security updates for Exchange Server immediately.
  2. Maintain Mitigations: Keep existing mitigations in place as recommended by Microsoft to ensure continued protection.
  3. Test Defenses: Conduct breach and attack simulations to test SIEM and EDR rules, ensuring threats are detected before they cause harm.
  4. Monitor Communications: Be vigilant for suspicious emails that could exploit the XSS vulnerability within Outlook Web Access.

What Remains Unclear

While Microsoft has addressed the immediate threat posed by CVE-2026-42897, details about the specific attacks exploiting this vulnerability remain limited. BleepingComputer notes that they have yet to receive a response from Microsoft regarding these attacks. Additionally, while CISA has mandated patches for U.S. government agencies, it is unclear how widespread the exploitation of this flaw is across other sectors.

Tags: #MicrosoftExchangeServer #ZeroDayVulnerability #CrossSiteScripting #CVE-2026-42897 #CybersecurityUpdate

Sources

  1. https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-exchange-server-zero-day-exploited-in-attacks/
  2. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search=CVE-2024-21182&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=
  3. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897
  4. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897#securityUpdates
#APT/Nation-State#h4rithd#news#HarithDilshan#APTNationState#CyberSecurity#InfoSec#ThreatIntel
Harith Dilshan

Harith Dilshan

- Offensive Security Engineer | Ethical Hacker | Penetration Tester -

Related reading

highAPT / Nation-State

Microsoft's June Patch Tuesday Unveils 206 Fixes: Urgent Patch Needed for Self-Spreading Vulnerability

Jun 10, 2026 · 3 min readhighAPT / Nation-State

Unauthorized Access via ServiceNow Vulnerability Highlights Need for AI-Driven Security Measures

Jun 9, 2026 · 2 min readhighAPT / Nation-State

Gamaredon Exploits WinRAR Zero-Day: Urgent Patch Needed for Windows Users

Jun 2, 2026 · 3 min read