EXECUTIVE SUMMARY:
CVE-2026-42897 with a CVSS score of 8.1 is a critical cross‑site scripting flaw in Microsoft Exchange Server that affects all update levels of Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition. The vulnerability stems from improper neutralisation of user‑supplied input when the Outlook Web Access (OWA) pages are generated, allowing an attacker to inject arbitrary JavaScript through a weaponised email. An unauthenticated threat actor can craft a malicious email and send it to any recipient; when the recipient, who is logged into OWA, opens the message in a browser, the injected script executes in the context of the victim’s session. This execution grants the attacker the ability to spoof emails, harvest credentials, hijack the OWA session, and perform actions on behalf of the compromised user, effectively compromising the confidentiality and integrity of corporate communications. The business impact includes potential data exfiltration, unauthorized access to sensitive information, lateral movement within the network, regulatory penalties, and damage to reputation. Exploitation requires only that the target be authenticated to OWA and view the crafted email; no additional privileges or client‑side software are needed, and the attack bypasses typical attachment‑based defenses.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-42897 with a CVSS score of 8.1 is a critical cross‑site scripting flaw in Microsoft Exchange Server that affects all update levels of Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition. The vulnerability stems from improper neutralisation of user‑supplied input when the Outlook Web Access (OWA) pages are generated, allowing an attacker to inject arbitrary JavaScript through a weaponised email. An unauthenticated threat actor can craft a malicious email and send it to any recipient; when the recipient, who is logged into OWA, opens the message in a browser, the injected script executes in the context of the victim’s session. This execution grants the attacker the ability to spoof emails, harvest credentials, hijack the OWA session, and perform actions on behalf of the compromised user, effectively compromising the confidentiality and integrity of corporate communications. The business impact includes potential data exfiltration, unauthorized access to sensitive information, lateral movement within the network, regulatory penalties, and damage to reputation. Exploitation requires only that the target be authenticated to OWA and view the crafted email; no additional privileges or client‑side software are needed, and the attack bypasses typical attachment‑based defenses.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/microsoft-exchange-server-0-day-exploited/