Microsoft Exchange: Zero-day vulnerability is being attacked
A zero-day vulnerability exists in Microsoft Exchange, which attackers are already exploiting. Admins should act quickly.
(Image: Titima Ongkantong/Shutterstock.com)
Microsoft is warning of a zero-day security vulnerability in Exchange that is already being attacked in the wild. Updated software is not yet available. However, Microsoft is offering countermeasures that admins should implement as quickly as possible.
In the vulnerability description, Microsoft explains that it involves insufficient input filtering during website generation, a cross-site scripting vulnerability. This allows unauthenticated attackers from the network to execute spoofing attacks (CVE-2026-42897, CVSS 8.1, Risk "high"). However, Microsoft classifies the severity as "critical". A blog post by Microsoft's Exchange team explains this and the countermeasures in more detail.
Attack Scenario
The vulnerability apparently affects Outlook Web Access (OWA) specifically. Microsoft states that attackers can send manipulated emails to victims. If users open the email in OWA and certain, unspecified interaction conditions are met, arbitrary JavaScript is then executed in the browser.
Exchange Server 2016, 2019, and Exchange Server Subscription Edition (SE), in any update level, are affected. However, Microsoft is not providing software updates. An automatic fix is available via the Exchange Emergency Mitigation (EM) Service. Where the service is active, Microsoft has already applied the countermeasures. The service has been distributed since September 2021 and is enabled by default. The blog post also shows a manual variant.
The countermeasures to contain the CVE-2026-42897 vulnerability have some side effects that admins should be aware of. Printing calendars in OWA may no longer work. Inline images will no longer be displayed correctly in the recipient panel. OWA Light may no longer function properly – however, this is already obsolete and "deprecated" anyway. The countermeasure also shows in the mitigation details that it is invalid for the current Exchange version – purely cosmetic, the Redmond company assures. If "Applied" is displayed as the status, it has been effectively applied.
Videos by heise
The Exchange team is meanwhile working on a permanent, proper fix. This will be released in the future as an update for Exchange SE RTM, Exchange 2016 CU23, and Exchange Server 2019 CU14 and CU15. However, those using Exchange 2016 or 2019 must have subscribed to the second stage of Extended Security Updates (ESU). Further details on the Emergency Mitigation Service are provided by Microsoft on its own website.
(dmk)
