Microsoft has released security updates for an actively exploited Exchange Server vulnerability that could allow attackers to run malicious JavaScript code through Outlook Web Access.
The high-severity flaw, tracked as CVE-2026-42897, affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition. Microsoft says remote attackers do not need any privileges to exploit the vulnerability.
According to the Exchange Team, an attacker could abuse the issue by sending a specially crafted email to a target. If the user opens that email in Outlook Web Access and certain interaction conditions are met, the attacker’s JavaScript code could run inside the victim’s browser session.
Microsoft first responded to the issue in mid-May by rolling out a temporary automatic mitigation through the Exchange Emergency Mitigation Service. The company has now released full security updates and is urging administrators to install them as soon as possible.
Microsoft said Exchange Server customers should apply the June 2026 security updates for their affected version to protect against the vulnerability. The company also advised admins to keep the mitigation in place because it adds another layer of protection against cross-site scripting attacks.
The U.S. Cybersecurity and Infrastructure Security Agency added the flaw to its catalog of vulnerabilities exploited in the wild on May 15. Federal civilian agencies were ordered to patch affected servers within two weeks, with a deadline of May 29.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Exchange Server has remained a frequent target for attackers in recent years. Over the past five years, CISA has added 20 Microsoft Exchange Server vulnerabilities to its exploited vulnerabilities list, and ransomware groups have used 14 of them in attacks.
