Microsoft warns of a zero-day vulnerability in Exchange that is already being attacked in the wild. Updated software is not yet available. However, Microsoft offers countermeasures that admins should implement as quickly as possible.
Read more after the ad
In the vulnerability description, Microsoft explains that it is due to insufficient filtering of input when generating web pages, a cross-site scripting vulnerability. This allows unauthenticated attackers from the network to carry out spoofing attacks (CVE-2026-42897, CVSS 8.1Risk „hoch“). However, Microsoft classifies the severity as “critical“A blog post from Microsoft’s Exchange team explains this and the countermeasures in more detail.
Attack scenario
The vulnerability appears to specifically affect Outlook Web Access (OWA). Microsoft states that attackers can send manipulated emails to victims. When users open the email in OWA and certain, unspecified interaction conditions are met, arbitrary JavaScript is then executed in the browser.
Exchange Server 2016, 2019 and Exchange Server Subscription Edition (SE) are affected in any update level. However, Microsoft does not provide software updates. However, an automatic fix is available through the Exchange Emergency Mitigation (EM) service. Where the service is active, Microsoft has already applied the countermeasures. The service has been distributed since September 2021 and is activated by default. In the blog post, Microsoft also shows a manual variant.
The countermeasures to contain the CVE-2026-42897 vulnerability have some side effects that admins should be aware of. Printing calendars in OWA may no longer work. Inline images are no longer displayed correctly in the receiver panel. OWA Light could no longer function properly – but that is old iron and “deprecated” anyway. The countermeasure also shows in the mitigation details that it is invalid for the current Exchange version – purely cosmetic, the Redmond company assures. If “Applied” is displayed as the status, it has been effectively applied.
The Exchange team is currently working on a permanent, proper fix. This will appear in the future as an update for Exchange SE RTM, Exchange 2016 CU23 and Exchange Server 2019 CU14 and CU15. However, anyone using Exchange 2016 or 2019 must have subscribed to the second level of extended security updates (ESU). Microsoft provides further details about the Emergency Mitigation Service on its own website.
Read more after the ad
(dmk)
