Microsoft Exchange Zero-Day Under Attack, No Patch Available

A zero-day vulnerability in Microsoft Exchange Server tracked as CVE-2026-42897 is being actively exploited in the wild, with no patch currently available from Microsoft. The flaw stems from a cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) that can allow attackers to compromise victim mailboxes — giving them full read and send access to email communications without requiring user credentials.

Vulnerability Details

Attribute	Value
CVE ID	CVE-2026-42897
Vulnerability Type	Cross-Site Scripting (XSS)
Affected Component	Outlook Web Access (OWA) — Microsoft Exchange Server
Attack Vector	Network — victim must interact with a malicious link or email
Authentication Required	None (for initial exploitation)
Patch Available	No — zero-day, no fix released
Active Exploitation	Confirmed
Public Exploit	Not yet confirmed publicly, but in use by threat actors

How the Attack Works

The vulnerability exists in how Exchange Server's OWA interface processes and reflects user-supplied input. A successful XSS attack through CVE-2026-42897 follows this pattern:

Attacker crafts a malicious link or email containing a specially crafted URL or HTML payload targeting the OWA interface
Victim accesses the malicious content — either by clicking a phishing link or opening a crafted email that triggers the XSS payload within OWA
JavaScript executes in the victim's browser session in the context of the authenticated OWA session
Attacker gains control of the mailbox — the injected script can exfiltrate email content, send emails on behalf of the victim, modify inbox rules, and steal session tokens
Persistent access — with a stolen session token, the attacker can maintain access to the mailbox without re-exploiting the vulnerability

Why This Is Particularly Dangerous

Exchange Server and OWA are deployed across enterprises, government agencies, and critical infrastructure worldwide. A zero-day XSS that enables mailbox compromise carries several severe implications:

Business Email Compromise (BEC) at Scale

With access to victim mailboxes, attackers can:

Intercept financial transactions and redirect wire transfers
Impersonate executives in fraud schemes
Access sensitive internal communications, M&A discussions, and legal matters

Lateral Movement via Email

Compromised mailboxes provide a trusted internal position for:

Sending phishing emails that appear to come from legitimate internal addresses
Accessing shared calendars, meetings, and organization charts to map targets
Reading privileged communications to inform further attacks

Intelligence Collection

Nation-state and espionage groups regularly target Exchange for email surveillance — a mailbox compromise through OWA provides ongoing access to organizational communications without network-level indicators of compromise.

Who Is Being Targeted?

While Microsoft and Dark Reading have not attributed the active exploitation to a specific threat actor as of this writing, the targeting of OWA zero-days is consistent with the methodology of:

Nation-state espionage groups (APT28, APT29, Volt Typhoon) which have historically targeted Exchange for email collection
Ransomware initial access brokers who compromise email accounts to facilitate follow-on intrusions
BEC criminal groups seeking financial fraud opportunities through mailbox access

Immediate Mitigations

With no patch available, Exchange administrators must rely on compensating controls:

1. Restrict OWA Access

Limit OWA to VPN-only access — remove public internet exposure of OWA where operationally feasible
Implement IP allowlisting for OWA access, restricting it to known corporate IP ranges
Enable Conditional Access policies in Microsoft Entra ID (for hybrid Exchange environments) requiring compliant devices and MFA

2. Enable Multi-Factor Authentication

Enforce MFA for all OWA logins — even if an attacker harvests a session token, MFA on the account limits the usefulness of re-authentication attempts
Implement session timeout policies — reduce session token validity windows to limit the exploitation window

3. Monitor for Suspicious Activity

Review OWA access logs for unusual IP addresses, geographic anomalies, or access at unusual hours
Alert on inbox rule creation — a common post-compromise action is creating forwarding rules to exfiltrate email
Monitor for mail flow anomalies — unusual sending volumes, external recipients, or attachment behavior can indicate mailbox compromise

4. Apply Defense-in-Depth

Deploy a Web Application Firewall (WAF) in front of OWA to detect and block XSS payloads
Enable Microsoft Defender for Office 365 with anti-phishing and safe link policies
Review and rotate service account credentials associated with Exchange

Historical Context: Exchange Under Fire

Microsoft Exchange has been a persistent target for sophisticated threat actors:

Incident	Date	Impact
ProxyLogon (CVE-2021-26855 et al.)	March 2021	250,000+ servers compromised globally
ProxyNotShell (CVE-2022-41082)	October 2022	Authenticated RCE chain
Exchange SSRF (CVE-2026-21413)	February 2026	Server-side request forgery
CVE-2026-42897 (this)	May 2026	OWA XSS — zero-day, no patch

The pattern of Exchange zero-days reflects the platform's centrality to enterprise communications and the extraordinary value of mailbox access to both criminal and state-sponsored threat actors.

What to Expect

Microsoft is expected to release an emergency out-of-band patch or include a fix in an upcoming Patch Tuesday release. Administrators should:

Monitor the Microsoft Security Response Center (MSRC) for updates on CVE-2026-42897
Subscribe to CISA alerts — CISA may add this to the Known Exploited Vulnerabilities (KEV) catalog, triggering mandatory patching deadlines for federal agencies
Prepare for emergency patching — have change management processes ready to deploy a fix rapidly when it becomes available

References

Vulnerability Details

Attribute	Value
CVE ID	CVE-2026-42897
Vulnerability Type	Cross-Site Scripting (XSS)
Affected Component	Outlook Web Access (OWA) — Microsoft Exchange Server
Attack Vector	Network — victim must interact with a malicious link or email
Authentication Required	None (for initial exploitation)
Patch Available	No — zero-day, no fix released
Active Exploitation	Confirmed
Public Exploit	Not yet confirmed publicly, but in use by threat actors

How the Attack Works

The vulnerability exists in how Exchange Server's OWA interface processes and reflects user-supplied input. A successful XSS attack through CVE-2026-42897 follows this pattern:

Attacker crafts a malicious link or email containing a specially crafted URL or HTML payload targeting the OWA interface
Victim accesses the malicious content — either by clicking a phishing link or opening a crafted email that triggers the XSS payload within OWA
JavaScript executes in the victim's browser session in the context of the authenticated OWA session
Attacker gains control of the mailbox — the injected script can exfiltrate email content, send emails on behalf of the victim, modify inbox rules, and steal session tokens
Persistent access — with a stolen session token, the attacker can maintain access to the mailbox without re-exploiting the vulnerability

Why This Is Particularly Dangerous

Business Email Compromise (BEC) at Scale

With access to victim mailboxes, attackers can:

Intercept financial transactions and redirect wire transfers
Impersonate executives in fraud schemes
Access sensitive internal communications, M&A discussions, and legal matters

Lateral Movement via Email

Compromised mailboxes provide a trusted internal position for:

Sending phishing emails that appear to come from legitimate internal addresses
Accessing shared calendars, meetings, and organization charts to map targets
Reading privileged communications to inform further attacks

Intelligence Collection

Who Is Being Targeted?

While Microsoft and Dark Reading have not attributed the active exploitation to a specific threat actor as of this writing, the targeting of OWA zero-days is consistent with the methodology of:

Nation-state espionage groups (APT28, APT29, Volt Typhoon) which have historically targeted Exchange for email collection
Ransomware initial access brokers who compromise email accounts to facilitate follow-on intrusions
BEC criminal groups seeking financial fraud opportunities through mailbox access

Immediate Mitigations

With no patch available, Exchange administrators must rely on compensating controls:

1. Restrict OWA Access

Limit OWA to VPN-only access — remove public internet exposure of OWA where operationally feasible
Implement IP allowlisting for OWA access, restricting it to known corporate IP ranges
Enable Conditional Access policies in Microsoft Entra ID (for hybrid Exchange environments) requiring compliant devices and MFA

2. Enable Multi-Factor Authentication

Enforce MFA for all OWA logins — even if an attacker harvests a session token, MFA on the account limits the usefulness of re-authentication attempts
Implement session timeout policies — reduce session token validity windows to limit the exploitation window

3. Monitor for Suspicious Activity

Review OWA access logs for unusual IP addresses, geographic anomalies, or access at unusual hours
Alert on inbox rule creation — a common post-compromise action is creating forwarding rules to exfiltrate email
Monitor for mail flow anomalies — unusual sending volumes, external recipients, or attachment behavior can indicate mailbox compromise

4. Apply Defense-in-Depth

Deploy a Web Application Firewall (WAF) in front of OWA to detect and block XSS payloads
Enable Microsoft Defender for Office 365 with anti-phishing and safe link policies
Review and rotate service account credentials associated with Exchange

Historical Context: Exchange Under Fire

Microsoft Exchange has been a persistent target for sophisticated threat actors:

Incident	Date	Impact
ProxyLogon (CVE-2021-26855 et al.)	March 2021	250,000+ servers compromised globally
ProxyNotShell (CVE-2022-41082)	October 2022	Authenticated RCE chain
Exchange SSRF (CVE-2026-21413)	February 2026	Server-side request forgery
CVE-2026-42897 (this)	May 2026	OWA XSS — zero-day, no patch

The pattern of Exchange zero-days reflects the platform's centrality to enterprise communications and the extraordinary value of mailbox access to both criminal and state-sponsored threat actors.

What to Expect

Microsoft is expected to release an emergency out-of-band patch or include a fix in an upcoming Patch Tuesday release. Administrators should:

Monitor the Microsoft Security Response Center (MSRC) for updates on CVE-2026-42897
Subscribe to CISA alerts — CISA may add this to the Known Exploited Vulnerabilities (KEV) catalog, triggering mandatory patching deadlines for federal agencies
Prepare for emergency patching — have change management processes ready to deploy a fix rapidly when it becomes available

Microsoft Exchange Zero-Day Under Attack, No Patch Available

Vulnerability Details

How the Attack Works

Why This Is Particularly Dangerous

Business Email Compromise (BEC) at Scale

Lateral Movement via Email

Intelligence Collection

Who Is Being Targeted?

Immediate Mitigations

1. Restrict OWA Access

2. Enable Multi-Factor Authentication

3. Monitor for Suspicious Activity

4. Apply Defense-in-Depth

Historical Context: Exchange Under Fire

What to Expect

References

Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild

Microsoft Warns of Exchange Zero-Day Flaw Exploited in Attacks

Microsoft Warns of Two Actively Exploited Defender Vulnerabilities

Microsoft Exchange Zero-Day Under Attack, No Patch Available

Vulnerability Details

How the Attack Works

Why This Is Particularly Dangerous

Business Email Compromise (BEC) at Scale

Lateral Movement via Email

Intelligence Collection

Who Is Being Targeted?

Immediate Mitigations

1. Restrict OWA Access

2. Enable Multi-Factor Authentication

3. Monitor for Suspicious Activity

4. Apply Defense-in-Depth

Historical Context: Exchange Under Fire

What to Expect

References

Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild

Microsoft Warns of Exchange Zero-Day Flaw Exploited in Attacks

Microsoft Warns of Two Actively Exploited Defender Vulnerabilities