Microsoft has confirmed that a previously undisclosed security vulnerability in its on-premises Exchange Server software is now being actively exploited in the wild. The flaw, tracked as CVE-2026-42897 and assigned a CVSS score of 8.1 (High), allows attackers to launch spoofing attacks through crafted email messages.
According to Microsoft's advisory, the vulnerability originates from a cross-site scripting (XSS) flaw that can be triggered when an Exchange server processes a specially designed email. This enables a remote, unauthenticated attacker to impersonate legitimate users or systems, potentially leading to unauthorized data access or further compromise.
“We are aware of limited, targeted attacks exploiting CVE-2026-42897 against on-premises Exchange servers,” said a spokesperson from the Microsoft Security Response Center (MSRC). “We urge all customers running on-premises Exchange to apply the security update immediately.”
The issue was discovered and reported by an anonymous security researcher who responsibly disclosed it to Microsoft before any public disclosure. The researcher's identity has not been revealed.
Background
Exchange Server has been a frequent target for attackers in recent years. In 2021, the Hafnium group exploited zero-day vulnerabilities to breach thousands of organizations. While cloud-based Exchange Online received updates automatically, on-premises customers often face delays in patching.
CVE-2026-42897 specifically affects on-premises deployments of Microsoft Exchange Server 2016 and 2019. Microsoft has released an out-of-band security update to address the flaw. No mitigations are available for unpatched systems.
Security experts warn that this vulnerability is particularly dangerous because it can be exploited with a single email. “Any Exchange server exposed to the internet is a potential target,” said John Hammond, principal security researcher at Huntress. “Attackers don't need credentials – just a valid email address.”
What This Means
Organizations running on-premises Exchange Server are at immediate risk. The spoofing capability allows attackers to forge trusted domains or employee accounts, enabling phishing campaigns or credential theft.
Microsoft's advisory emphasizes that the vulnerability can be exploited without user interaction. Once an attacker sends a malicious email, the Exchange server processes it, and the XSS payload executes, making detection difficult.
Administrators should prioritize installing the update released in the April 2026 Patch Tuesday rollup. Workarounds include disabling Outlook Web Access (OWA) or blocking certain email attachments, but these are not full solutions.
“This is a race against time,” added Hammond. “Every unpatched server is a ticking bomb. We strongly recommend immediate patching, even if it means scheduling downtime.”
For more technical details, refer to Microsoft's security bulletin. If you suspect compromise, conduct a thorough audit of Exchange logs for unusual login activity or unauthorized mailbox access.