Exchange Server zero-day vulnerability can be triggered by opening a malicious email
Summary
A new zero-day vulnerability, CVE-2026-42897, has been discovered in Microsoft Exchange Server that can be exploited by sending a malicious email. Opening the crafted email in Outlook Web Access can lead to arbitrary JavaScript execution, posing an immediate risk to on-premises Exchange Server users.
IFF Assessment
This vulnerability allows for arbitrary JavaScript execution by simply opening a malicious email, directly threatening the security and data of organizations using on-premises Microsoft Exchange Server.
Severity
This is an estimated CVSS score for a cross-site scripting vulnerability in a web application. The high score reflects the potential for remote code execution or data theft, as an attacker can leverage it by sending a specially crafted email that users only need to open.
CISA KEV: Listed as actively exploited. Federal patch due: May 29, 2026. Known ransomware use: Unknown.
Defender Context
This critical zero-day vulnerability in Exchange Server requires immediate attention for organizations still using on-premises deployments. Defenders should prioritize patching or migrating to cloud-based email solutions to mitigate the risk of exploitation through malicious emails.