Microsoft Warns of High-Severity Zero-Day Vulnerability in Exchange Servers

Microsoft has disclosed a high-severity zero-day vulnerability, tracked as CVE-2026-42897, affecting on-premises Exchange Server 2016, 2019, and Subscription Edition deployments. The cross-site scripting (XSS) flaw could allow attackers to send specially crafted emails that enable spoofing and arbitrary code execution through Outlook users, although Exchange Online is not impacted. While no official patch is currently available, Microsoft has released temporary mitigations through the Exchange Emergency Mitigation Service and the Exchange On-premises Mitigation Tool for disconnected environments. The company warned that these mitigations may disrupt some Exchange features while security updates for affected versions are being prepared.

Reference: infosecurity-magazine.com