Microsoft Confirms Exchange Zero-Day CVE-2026-42897 Is Exploited, 2 Days After 138-Patch Update
Updated
Updated · Security Affairs · May 15
Microsoft Confirms Exchange Zero-Day CVE-2026-42897 Is Exploited, 2 Days After 138-Patch Update
7 articles · Updated · Security Affairs · May 15
CVE-2026-42897, a newly disclosed Exchange Server zero-day with a CVSS score of 8.1, is being actively exploited in the wild, Microsoft said.
Outlook Web Access is the exposed path: a specially crafted email can trigger malicious JavaScript when opened under certain conditions, enabling network spoofing.
Microsoft has not detailed the attacks or named victims, but released temporary mitigations and urged administrators to apply them immediately until a permanent fix arrives.
Exchange zero-days carry outsized risk because many on-premises servers are internet-facing and can expose emails, credentials and internal workflows once compromised.
The disclosure came just 2 days after Microsoft's May Patch Tuesday fixed 138 vulnerabilities, underscoring continued pressure on Exchange as a high-value target.
Is on-premises email now an indefensible security risk for modern businesses?
Are paywalled security patches forcing businesses to choose between cost and security?
With AI accelerating exploits, is the era of manual patching now over?
Immediate Threat Alert: CVE-2026-42897 Zero-Day in Microsoft Exchange Server—Exploitation, Mitigation, and Future Outlook
Overview
On May 14, 2026, the active exploitation of CVE-2026-42897, a zero-day vulnerability in Microsoft Exchange Server, was confirmed. Attackers are leveraging this flaw, which is especially dangerous because Exchange Server plays a central role in corporate email systems. Exploiting this vulnerability gives attackers a direct pathway into an organization’s most critical assets, including internal communications, user credentials, and essential business workflows. This creates a severe global risk, as organizations face the threat of data breaches and operational disruption while details about the attack methods and threat actors remain unclear.