CVE-2026-42897 – Microsoft Exchange Server Spoofing Vulnerability

A critical spoofing vulnerability affecting Microsoft Exchange Server has been identified in Outlook Web Access (OWA). The issue stems from improper neutralization of input during web page generation, enabling cross-site scripting (XSS) attacks through specially crafted emails. Successful exploitation allows attackers to execute arbitrary JavaScript within a victim’s browser session after the email is opened in OWA and specific interaction conditions are met. Microsoft has confirmed active exploitation in the wild, increasing the urgency for organizations running on-premises Exchange environments.

CVSS Score: 8.1

SEVERITY: Critical

THREAT:
This vulnerability enables attackers to impersonate trusted content and execute malicious scripts within the context of Outlook Web Access sessions. Because the exploit can be delivered through email, attackers may leverage phishing campaigns or targeted messages to compromise user sessions, harvest credentials, manipulate mailbox content, or pivot deeper into enterprise environments. Active exploitation indicates threat actors are already weaponizing this flaw against real-world targets.

EXPLOITS:
Microsoft has confirmed that exploitation has been detected in the wild. While public proof-of-concept exploit code has not been disclosed at the time of publication, attackers are actively exploiting the vulnerability. Exploitation requires a specially crafted email and user interaction within Outlook Web Access.

TECHNICAL SUMMARY:
The vulnerability is caused by improper neutralization of user-controlled input during web page generation in Microsoft Exchange Server, classified as CWE-79 Cross-Site Scripting (XSS). An attacker can craft a malicious email containing specially formed content that, when rendered in Outlook Web Access, triggers execution of arbitrary JavaScript in the browser context of the victim user. Because the attack occurs through a network vector and requires no privileges, attackers can remotely target users without authentication. Successful exploitation may allow attackers to steal authentication tokens, hijack user sessions, modify mailbox data, or conduct additional phishing and spoofing attacks from trusted accounts.

EXPLOITABILITY:
Affected systems include Microsoft Exchange Server environments utilizing Outlook Web Access. The attack is exploitable remotely over the network with low attack complexity and no privileges required. User interaction is necessary, as the victim must open the crafted email within OWA. Exploitation can lead to execution of malicious scripts in the user’s active browser session.

BUSINESS IMPACT:
Organizations relying on Microsoft Exchange Server for email communications face elevated risks of account compromise, credential theft, and unauthorized access to sensitive business communications. Since email systems are often highly trusted internally, successful exploitation can enable attackers to spread malicious content, impersonate employees, disrupt operations, and access confidential corporate data. Active exploitation significantly increases the likelihood of targeted attacks against enterprises.

WORKAROUND:
Microsoft recommends enabling the Exchange Emergency Mitigation Service (EEMS), which provides automatic mitigation and is enabled by default in supported Exchange environments. Organizations should verify the service is operational. Limiting external exposure of Outlook Web Access and reinforcing phishing awareness may further reduce risk until a permanent security update becomes available.

URGENCY:
This vulnerability demands immediate attention because Microsoft has confirmed active exploitation in real-world attacks. The flaw affects internet-facing Exchange environments and can be triggered through malicious emails, making it highly attractive for phishing campaigns and targeted intrusions. The absence of a permanent patch at release time further increases operational risk, placing greater importance on mitigation deployment and monitoring.