Microsoft Exchange CVE-2026-42897 Zero-Day Exploited via Crafted Email

Microsoft disclosed CVE-2026-42897 (CVSS 8.1), a spoofing vulnerability in on-premises Exchange Server rooted in a cross-site scripting flaw, now actively exploited in the wild. Attackers deliver crafted emails targeting Outlook on the web (OWA) users to achieve arbitrary code execution. An anonymous researcher reported the issue; CISA has added it to its Known Exploited Vulnerabilities catalog. No permanent patch is available yet — Microsoft has published interim mitigation guidance. Organizations running on-premises Exchange should apply Microsoft’s mitigations immediately, restrict access to OWA where possible, and monitor web access logs for anomalous activity. Federal agencies face a remediation deadline tied to the KEV listing.