Exchange zero-day exploited in XSS attacks prompts rapid mitigations ahead of patches

May 16, 2026 at 09:11 PM

•

1 min read

Exchange zero-day exploited in XSS attacks prompts rapid mitigations ahead of patches — Photo: BleepingComputer

TL;DR Summary

Microsoft warns of a spoofing vulnerability in Exchange Server (CVE-2026-42897) that attackers can exploit via cross-site scripting to run arbitrary JavaScript in Outlook on the Web; patches aren’t yet available, but the Exchange Emergency Mitigation Service (EEMS) can automatically shield on-premises servers, with guidance to enable it now and an option to use the Exchange On-Premises Mitigation Tool (EOMT) for air-gapped networks. Mitigations may disrupt OWA features (calendar printing, inline images) and some OWA modes, and patches are planned for SE RTM and specific CU releases, though 2016/2019 updates may be limited to ESU Period 2. CISA/NSA previously highlighted widely exploited Exchange flaws and guidance to harden servers.

Topics:technology #cve-2026-42897 #exchange-server #mitigations #outlook-on-the-web #security #xss

Share this article

Microsoft warns of Exchange zero-day flaw exploited in attacks BleepingComputer
On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email The Hacker News
Microsoft Confirms Active 0-Day Exploit—Check Emergency Mitigation Now Forbes
Exploited Exchange Server flaw turns OWA inboxes into script launchpads The Register
Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild SecurityWeek

Reading Insights

Total Reads

Unique Readers

Time Saved

4 min

vs 5 min read

Condensed

87%

859 → 108 words

Want the full story? Read the original article

Read on BleepingComputer

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights