A newly discovered vulnerability in Microsoft Exchange is currently being actively exploited by attackers. The issue, identified as CVE-2026-42897, this week’s CVE of the Week, affects the Outlook Web Access (OWA) component and is caused by improper input validation, leading to a Cross-Site Scripting (XSS) flaw.

The problem occurs because the server does not properly filter user-supplied input. As a result, attackers can inject malicious code into web pages, which is then executed in the victim’s browser. This allows attacker-controlled JavaScript to run in the context of a legitimate user session.

The attack works in a simple way. An attacker sends a specially crafted email or link to a user. When the victim opens it in OWA, the server reflects the malicious content back into the page. The browser then executes this script automatically. Through this, the attacker can gain access to the user’s active session.

With this vulnerability, attackers can impersonate users, hijack authenticated sessions, and access sensitive mailbox data or perform actions on behalf of the user. The attack does not require prior authentication, but it does require the victim to interact with the malicious content.

This vulnerability is especially dangerous because it can be exploited over the network using only a crafted email or request. It targets authenticated users and runs within a trusted browser session, breaking normal security boundaries.

To mitigate the risk, organizations should reset sessions and credentials if a compromise is suspected. It is recommended to enable the Exchange Emergency Mitigation (EM) Service, which can automatically apply protections. Most importantly, the latest cumulative and security updates should be installed as soon as they become available.

The vulnerability affects Microsoft Exchange Server 2016, 2019, and the Subscription Edition (SE). Exchange Online is not affected.

Security update: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897
Exchange team blog: https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498

White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024 and 2025.

With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.

They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.

Week 23 – Exchange Servers at Risk: Active Exploitation

01 – 07 June 2026

CyberX – UAE

EU Cyber Resilience Act (CRA) Briefing and Q&A

GITEX AI – Berlin 2026

GITEX AI Europe 2026 – CyAN Ecosystem Partner

GISEC GLOBAL 2026 – Updated Dates