Microsoft Exchange Zero-Day Under Attack, No Patch Available
Summary
A zero-day vulnerability, identified as CVE-2026-42897, has been discovered in Microsoft Exchange Server and is currently being actively exploited. This cross-site scripting (XSS) flaw allows attackers to compromise Outlook Web Access (OWA) mailboxes, and no patch is currently available from Microsoft.
IFF Assessment
The active exploitation of a zero-day vulnerability in a widely used platform like Microsoft Exchange poses a significant threat to organizations, making it bad news for defenders.
Severity
The CVSS score is estimated to be high (8.8) due to the critical impact of compromising mailboxes via OWA, the ease of exploitation through a cross-site scripting flaw, and the lack of an immediate patch, which makes it highly exploitable in the wild.
CISA KEV: Listed as actively exploited. Federal patch due: May 29, 2026. Known ransomware use: Unknown.
Defender Context
Defenders need to be extremely vigilant as this actively exploited zero-day vulnerability in Microsoft Exchange can lead to the compromise of sensitive OWA mailboxes. Organizations should prioritize implementing any available workarounds or compensating controls while awaiting a patch from Microsoft, and actively monitor their Exchange environments for signs of compromise.