Microsoft Exchange Zero-Day Under Attack, No Patch Available

Microsoft reveals a zero-day flaw in Exchange risking spoofing attacks via OWA, with a patch still pending after four days.

By Content Team

May 19, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

Microsoft disclosed a zero-day vulnerability (CVE-2026-42897) in Exchange that's actively being exploited, but customers are still waiting for a patch four days later. The flaw affects Exchange Outlook Web Access and allows attackers to execute spoofing attacks through cross-site scripting.

Attackers can exploit this by sending specially crafted emails that execute malicious JavaScript when opened in OWA. The vulnerability affects Exchange Server 2016, 2019, and Subscription Edition, earning an 8.1 CVSS score from Microsoft.

Security experts warn successful attacks could compromise mailboxes, steal session tokens, and enable business email compromise or ransomware attacks. Microsoft offers two temporary mitigations: the Exchange Emergency Mitigation Service (recommended) and an updated mitigation tool, though both cause some functionality disruptions.

Source: Dark Reading

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Interlock Ransomware Exploited Cisco Zero-Day for Weeks Before Patch

Mar 21, 2026

Critical Microsoft Office Flaw Lets Attackers Take Control Without User Interaction

Mar 12, 2026

Foster City Declares Emergency After Ransomware Attack Shuts Down City Network

Mar 25, 2026

Hackers Exploit Critical cPanel Flaw to Breach Military Servers and Steal 4GB of Sensitive Data

May 3, 2026