Microsoft has shipped the first full patch for an Exchange Server zero-day that attackers have been exploiting since May. The flaw (CVE-2026-42897) is a cross-site scripting bug in Outlook Web Access: an attacker emails a victim, and when the message is opened in OWA, malicious JavaScript runs inside the victim's authenticated session, allowing session-token theft and mailbox impersonation without ever touching the server. It affects Exchange Server 2016, 2019, and Subscription Edition, and CISA added it to its known-exploited list back in May. Until this week only temporary mitigations existed; the June security updates provide the permanent fix.
Just two days after a 138-fix Patch Tuesday that listed no zero-days, Microsoft disclosed CVE-2026-42897, an Exchange Server XSS-to-spoofing flaw it has tagged 'Exploitation Detected.' The bug is rated CVSS 8.1 and reported by an anonymous researcher. An unauthenticated attacker emails a crafted message; if the victim opens it in Outlook Web Access and meets certain interaction conditions, arbitrary JavaScript runs in the browser session context, enabling spoofing and session abuse. On-prem Exchange Server 2016, 2019, and Subscription Edition are affected; Exchange Online is not. No permanent patch exists yet, only mitigation through the Exchange Emergency Mitigation Service.