Microsoft said Thursday that a zero-day vulnerability in on-premises Exchange Server is being exploited in the wild [1].
This security flaw is critical because it allows threat actors to execute arbitrary code on a system. Because the attack can be triggered by a user simply opening a malicious email, it presents a high risk to organizations that manage their own email infrastructure rather than using cloud services.
The vulnerability, identified as CVE-2026-42897 [1], affects several versions of the software. Impacted installations include Exchange Server 2016, 2019, and the Subscription Edition [3].
According to security data, the flaw carries a CVSS severity score of 8.0 [3]. The exploit utilizes cross-site scripting (XSS) to achieve its goals [2]. By sending a specially crafted email, attackers can prompt the server to run unauthorized commands, potentially leading to full system compromise.
Microsoft said it has released mitigations to protect affected servers while the company works on a permanent patch [1]. Administrators are urged to apply these temporary measures immediately to block the current attack vector.
The company said it did not provide a specific timeline for the final software update but emphasized the necessity of the current mitigations [2]. The active exploitation of such flaws often leads to widespread data breaches if organizations do not react quickly to vendor warnings [4].
“The vulnerability allows threat actors to execute arbitrary code via cross-site scripting.”
The reliance on on-premises legacy systems creates a persistent attack surface for high-value targets. While cloud-based migrations have reduced the number of vulnerable servers, the high severity score of 8.0 indicates that the remaining on-premises installations remain critical targets for sophisticated actors using social engineering and XSS attacks.
