Active Microsoft Exchange zero-day leaves organisations exposed
A vulnerability in Microsoft Exchange, allowing hackers to execute malicious code through specially crafted e-mails opened in Outlook Web Access, is a serious and urgent threat as it is already being actively exploited while no permanent patch yet exists.
This is according to cyber security specialists, who warn that organisations running on-premises Exchange environments remain exposed and can currently do little more than aggressively mitigate risk, while waiting for Microsoft to release a permanent fix.
The vulnerability is the result of an “improper neutralisation of input during web page generation” – a cross-site scripting flaw in Microsoft Exchange Server that could allow an unauthorised attacker to carry out spoofing attacks over a network.
Spoofing allows an attacker to impersonate a trusted source – in this case, by sending a specially crafted e-mail that, once opened in Outlook Web Access (OWA), executes arbitrary JavaScript code within the victim’s browser session under certain interaction conditions.
The vulnerability is particularly significant given Microsoft Exchange’s dominance in the enterprise e-mail market, says Mark Walker, director at technology consultancy T4i.
“Microsoft on-prem Exchange Server plus Exchange Online 365 accounts for approximately 70% of the global corporate and enterprise e-mail market. This is a serious vulnerability as it can disrupt corporate IT security via an unauthorised spoofing attack over a network,” Walker says.
Already in the wild
Microsoft disclosed the vulnerability, tracked as CVE-2026-42897, on 14 May. The flaw affects all supported versions of on-premises Exchange Server: Exchange Server 2016, Exchange Server 2019 and Exchange Server Subscription Edition.
Jason Jordaan, principal forensic scientist at DFIR Labs, says the exploit allows attackers to compromise on-premises Microsoft Exchange servers and has already been used in active attacks.
“How bad is it? Well, bad enough for US Cybersecurity and Infrastructure Security Agency (CISA) to basically release an alert on it. Obviously, they’re seeing it in extensive use in the wild,” says Jordaan. E-mail remains one of the most common attack vectors, he adds.
Jacqui Muller, a researcher at Belgium Campus iTversity and a PhD candidate in computer science, says the combination of active exploitation and the absence of a permanent patch significantly increases the risk profile.
“The fact that the vulnerability is already being actively exploited, combined with the absence of a permanent patch at this stage, significantly increases the risk profile,” Muller says.
By this year, attackers were using AI to scale and accelerate cyber crime, which extends from generating code and automating attacks, to crafting convincing phishing and deepfake scams. The AI Incident Database lists more than 7 000 incidents in which AI was used as a hacking tool.