Microsoft disclosed a zero-day vulnerability (CVE-2026-42897) in Exchange that's actively being exploited, but customers are still waiting for a patch four days later. The flaw affects Exchange Outlook Web Access and allows attackers to execute spoofing attacks through cross-site scripting.
Attackers can exploit this by sending specially crafted emails that execute malicious JavaScript when opened in OWA. The vulnerability affects Exchange Server 2016, 2019, and Subscription Edition, earning an 8.1 CVSS score from Microsoft.
Security experts warn successful attacks could compromise mailboxes, steal session tokens, and enable business email compromise or ransomware attacks. Microsoft offers two temporary mitigations: the Exchange Emergency Mitigation Service (recommended) and an updated mitigation tool, though both cause some functionality disruptions.
Source: Dark Reading