Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: microsoft-exchange (3 articles)Clear

Microsoft Exchange OWA zero-day actively exploited via crafted email, no patch yet (CVE-2026-42897)

Just two days after a 138-fix Patch Tuesday that listed no zero-days, Microsoft disclosed CVE-2026-42897, an Exchange Server XSS-to-spoofing flaw it has tagged 'Exploitation Detected.' The bug is rated CVSS 8.1 and reported by an anonymous researcher. An unauthenticated attacker emails a crafted message; if the victim opens it in Outlook Web Access and meets certain interaction conditions, arbitrary JavaScript runs in the browser session context, enabling spoofing and session abuse. On-prem Exchange Server 2016, 2019, and Subscription Edition are affected; Exchange Online is not. No permanent patch exists yet, only mitigation through the Exchange Emergency Mitigation Service.

Check
Inventory all on-prem Exchange Server 2016, 2019, and Subscription Edition instances; check Exchange EM Service is enabled and the May 14 mitigation shows 'Applied'; review OWA web access logs for unusual JavaScript-triggering email opens and crafted-message indicators.
Affected
Microsoft Exchange Server 2016 CU23, Exchange Server 2019 CU14 and CU15, and Exchange Server Subscription Edition RTM. Exchange Online customers are not affected. Risk is highest for internet-facing OWA deployments.
Fix
Confirm Exchange Emergency Mitigation Service is enabled (default since Sep 2021) and 'Applied' for CVE-2026-42897. If disabled, run EOMT.ps1 with the CVE flag. Permanent updates are coming for SE RTM, 2016 CU23, and 2019 CU14/CU15.

Pwn2Own Berlin Day 2: Microsoft Exchange falls to Orange Tsai's $200K chain, event total tops $908K

The second day of Pwn2Own Berlin 2026 added $385,750 across 15 unique zero-days, bringing the running total to $908,750 across 39 zero-days. The headline was Orange Tsai of DEVCORE chaining three bugs to gain SYSTEM-level remote code execution on Microsoft Exchange Server, taking the $200,000 top prize and pushing his event total past $375,000. Other day-two wins included a Windows 11 integer-overflow LPE, a Red Hat Enterprise Linux for Workstations root, a use-after-free in NVIDIA Container Toolkit, and AI-category exploits against LM Studio, Cursor, OpenAI Codex, and Anthropic Claude Desktop (the last as a collision with a previously known bug).

Check
Track Zero Day Initiative advisories over the next 90 days for the day-two Exchange chain (separate from CVE-2026-42897), Windows 11 LPE, RHEL Workstations escalation, NVIDIA Container Toolkit UAF, and the AI category bugs.
Affected
Fully patched Microsoft Exchange Server, Windows 11, Red Hat Enterprise Linux for Workstations, NVIDIA Container Toolkit, LM Studio, Cursor IDE, OpenAI Codex, and Anthropic Claude Desktop. CVEs not yet assigned; 90-day patching window.
Fix
Pre-stage update windows for Exchange Server, Windows 11, RHEL Workstations, and the AI developer tools listed. Where Cursor, Codex, and Claude Desktop run unsupervised, restrict outbound egress and code-execution scope until patches land.

China-linked FamousSparrow spent three months breaking back into an Azerbaijani oil and gas company through the same Microsoft Exchange flaw - first known China APT hit on South Caucasus energy

Bitdefender researchers documented a China-linked espionage group called FamousSparrow repeatedly compromising an Azerbaijani oil and gas company between late December 2025 and late February 2026. Each time the victim cleaned up, the attackers came back through the same unpatched Microsoft Exchange Server and dropped a new backdoor - first Deed RAT (a ShadowPad relative used by several Chinese groups), then TernDoor. The group overlaps with the Earth Estries cluster, which itself overlaps with Salt Typhoon. This is the first time FamousSparrow has been seen targeting South Caucasus energy infrastructure, a region whose role in supplying gas to Europe grew sharply after Russia's Ukraine transit deal expired.

Check
Audit Microsoft Exchange Server patch status across the estate, hunt for DLL sideloading patterns where signed executables load suspicious libraries, and search proxy and DNS logs for connections to sentinelonepro[.]com.
Affected
Internet-exposed Microsoft Exchange Server instances. Energy sector organizations operating in or partnering with Azerbaijan, Armenia, and Georgia, plus their European downstream gas customers.
Fix
Patch Exchange to the current security update and confirm ProxyNotShell-class fixes are applied. Rotate credentials exposed during prior intrusions, hunt for Deed RAT and TernDoor IoCs from Bitdefender's report, and block sentinelonepro[.]com.