Microsoft finally patches actively exploited Exchange OWA spoofing zero-day
Microsoft has shipped the first full patch for an Exchange Server zero-day that attackers have been exploiting since May. The flaw (CVE-2026-42897) is a cross-site scripting bug in Outlook Web Access: an attacker emails a victim, and when the message is opened in OWA, malicious JavaScript runs inside the victim's authenticated session, allowing session-token theft and mailbox impersonation without ever touching the server. It affects Exchange Server 2016, 2019, and Subscription Edition, and CISA added it to its known-exploited list back in May. Until this week only temporary mitigations existed; the June security updates provide the permanent fix.
- Check
- Confirm the June 2026 security update is applied to all on-premises Exchange servers, and review OWA and mailbox audit logs for suspicious script activity or session hijacking since May.
- Affected
- On-premises Microsoft Exchange Server 2016, 2019, and Subscription Edition exposing Outlook Web Access (CVE-2026-42897), a spoofing and cross-site scripting flaw exploited in attacks since May.
- Fix
- Apply the June 2026 Exchange security update now to replace the earlier mitigation-only guidance, then reset potentially exposed OWA sessions and rotate credentials for affected mailboxes.