On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email

Microsoft disclosed a vulnerability in on-premises Exchange Server that attackers actively exploit in the wild. The flaw, tracked as CVE-2026-42897, carries a CVSS score of 8.1 and stems from a cross-site scripting vulnerability that enables spoofing attacks.

The vulnerability allows threat actors to craft malicious emails that bypass security controls. When users receive these emails, the XSS flaw permits attackers to execute unauthorized actions within the Exchange environment. The spoofing component means attackers can impersonate legitimate senders, increasing the likelihood that targets open and interact with malicious messages.

Organizations running on-premises Exchange Server deployments face immediate risk. The active exploitation in the wild signals that attackers have weaponized this flaw and deployed it against real targets. Victim organizations include enterprises across multiple sectors relying on self-managed Exchange infrastructure.

The vulnerability affects organizations that have not yet applied Microsoft's security patch. On-premises deployments present particular risk compared to cloud-hosted Exchange Online, as organizations must manage patching themselves rather than relying on Microsoft to automatically defend infrastructure.

Microsoft's disclosure included patch availability, though the exact versions affected remain critical to confirm. Organizations should prioritize identifying which Exchange Server versions run in their environments and assess exposure immediately. Delaying patches increases the window for attackers to establish persistence or exfiltrate sensitive data through email systems.

The XSS-based spoofing attack pattern resembles prior Exchange vulnerabilities, including ProxyLogon flaws from 2021 that led to widespread compromise. Email systems remain prime targets because they handle authentication credentials, contain sensitive communications, and provide lateral movement opportunities into broader networks.

Organizations must apply Microsoft patches immediately and monitor email logs for signs of exploitation. Indicators include crafted HTML emails that trigger unexpected script execution or evidence of account impersonation. Email security tools should be updated to