Microsoft Exchange Server users are being advised to take immediate action following the disclosure of a critical zero-day vulnerability. This vulnerability, designated as CVE-2026-42897, involves spoofing and cross-site scripting (XSS) issues and affects Exchange Server Subscription Edition, 2016, and 2019. Although Microsoft had already patched 137 vulnerabilities in its latest Patch Tuesday release, this zero-day was revealed just two days later.

The flaw specifically impacts the Exchange Outlook Web Access (OWA), where attackers can exploit the vulnerability by sending a specially crafted email to the victim. If the email is opened under certain conditions within OWA, it can trigger the execution of arbitrary JavaScript in the browser. Microsoft has provided interim mitigation options while a permanent patch is being developed.

The cybersecurity community is closely monitoring this issue, although Microsoft has not released details on the nature of the attacks exploiting this vulnerability. An anonymous researcher reported the flaw, highlighting the ongoing risk posed by Exchange Server vulnerabilities. Despite the absence of this specific vulnerability on CISA's Known Exploited Vulnerabilities list, Exchange Server remains a frequent target for threat actors.

Microsoft's statement emphasizes the importance of enabling the Exchange Emergency Mitigation Service (EEMS) to enhance protection against this vulnerability. Organizations using Exchange Server should implement the recommended mitigations promptly to safeguard their systems against potential exploitation.