Microsoft has patched CVE-2026-42897, a critical Exchange Server vulnerability that threat actors have been actively exploiting since at least May 14, 2026. The fix shipped as part of Microsoft's June 2026 Patch Tuesday update cycle — a record-breaking release that addressed 206 vulnerabilities across the Windows ecosystem.
Background: Nearly a Month of Active Exploitation
Microsoft first warned about active zero-day attacks targeting CVE-2026-42897 in its May 14 security advisory, but withheld a patch at the time while the company worked on a fix. This left Exchange Server administrators in a difficult position: aware of active exploitation with no complete remediation available for nearly four weeks.
The vulnerability affects on-premises Microsoft Exchange Server deployments. Microsoft 365 (Exchange Online) customers were not impacted, as cloud infrastructure was already protected.
Technical Summary
| Property | Value |
|---|---|
| CVE ID | CVE-2026-42897 |
| Product | Microsoft Exchange Server |
| Status | Actively Exploited — Patched June 2026 |
| Patch Tuesday | June 2026 (206 CVEs total) |
| Impact | Remote Code Execution / Privilege Escalation |
Full technical details of the vulnerability have been withheld pending broader patch adoption, which is standard Microsoft practice for exploited zero-days to limit attacker advantage during the patch rollout window.
What Was Known During Active Exploitation
Microsoft's original May advisory confirmed:
- The vulnerability was being exploited in the wild by unknown threat actors
- Exploitation did not require prior authentication in some attack paths
- The flaw could be used to execute arbitrary code in the context of the Exchange application pool
- No workaround was fully effective; disabling features degraded Exchange functionality without eliminating risk
Exchange Server is a high-value target because it sits at the center of corporate communications, often holds sensitive email content, and frequently has elevated network access and trust relationships within enterprise environments.
June Patch Tuesday: Record 206 Vulnerabilities
The June 2026 Patch Tuesday also included patches for:
- Three actively exploited zero-days in total (including CVE-2026-42897)
- Critical RCE vulnerabilities in Windows Netlogon and other core components
- The previously disclosed RoguePlaynet Defender zero-day that granted SYSTEM-level access on fully updated Windows machines
- Fixes for the YellowKey, GreenPlasma, and MiniPlasma zero-days disclosed by a researcher in mid-May
The volume of patches underscores the accelerating pace of vulnerability discovery across Microsoft's product portfolio in 2026.
Recommended Actions
Exchange Server administrators should immediately apply the June 2026 Patch Tuesday updates, prioritizing CVE-2026-42897 given its confirmed active exploitation status.
Additional hardening steps:
- Apply the patch immediately: Do not defer this update. Active exploitation has been ongoing for nearly a month; unpatched Exchange servers should be treated as potentially compromised.
- Review Exchange Server logs: Look for indicators of compromise (IOCs) in IIS logs, OWA authentication logs, and PowerShell execution history dating back to May 14.
- Restrict Exchange to the internal network: If external OWA or EWS access is not business-critical, temporarily restrict access at the network perimeter until patched.
- Verify patch application: Use Microsoft's Exchange Health Checker script to confirm the update installed correctly and all Exchange services restarted.
- Consider migrating to Exchange Online: For organizations still running on-premises Exchange, this recurring zero-day pattern reinforces the case for migrating to Microsoft 365, which eliminates the patching burden for the email server tier.
Industry Pattern: Exchange as a Persistent Target
CVE-2026-42897 continues a long pattern of critical Exchange Server vulnerabilities being exploited in the wild — from ProxyLogon (2021) through ProxyShell, ProxyNotShell, and beyond. Nation-state actors and cybercriminal groups consistently prioritize Exchange exploitation due to the richness of data accessible through the email server and its high availability on the internet.
Organizations that have not yet migrated to cloud-hosted email should treat on-premises Exchange security as a continuous program — including accelerated patching SLAs, network segmentation, and post-exploitation monitoring — rather than a periodic maintenance task.