- Microsoft disclosed an actively exploited spoofing vulnerability tracked as CVE-2026-42897 in on-premise Exchange Server versions.
- The flaw allows attackers to execute arbitrary JavaScript by sending a crafted email, exploitable through Outlook Web Access.
- Mitigation is available via the Exchange Emergency Mitigation Service or a downloadable on-premises tool.
On May 15, 2026, Microsoft revealed a new cyber threat actively targeting on-premise installations of its Exchange Server software. This urgent security advisory, detailed by the company, warns of a spoofing vulnerability with a CVSS score of 8.1.
The vulnerability stems from a cross-site scripting flaw in web page generation. Consequently, an unauthorized attacker can perform spoofing over a network by sending a maliciously crafted email.
When the target opens this email in Outlook Web Access under specific conditions, it can trigger arbitrary JavaScript code execution in their browser. Microsoft has consequently assessed this flaw with an “Exploitation Detected” tag, confirming active in-the-wild use.
Microsoft is offering a temporary mitigation through its automated Exchange Emergency Mitigation Service. This service applies a URL rewrite configuration by default, while a permanent fix is being developed.
For air-gapped environments, the company advises administrators to download and run the Exchange on-premises Mitigation Tool. Instructions for applying the fix to single or all servers were provided in an elevated Exchange Management Shell.
The flaw impacts Exchange Server 2016, 2019, and Subscription Edition, but not Exchange Online. Microsoft‘s Exchange Team noted a cosmetic error message in the mitigation tool that does not affect its successful application.
However, specifics about the exploiting threat actor, attack scale, or successful compromises remain undisclosed. The company and security researchers strongly recommend implementing the provided mitigations immediately.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Latest News About TAO: Bittensor Price, ETF Filings, and 2026 Upgrades Explained
- Rupee Hits 95.87 Against USD; Could Market Crash at 100?
- Gemini Q1 revenue jumps 42% amid credit card surge
- Nigel Farage Faces Probe Over Crypto Billionaire’s $6.7M Gift
- ChatGPT Gets Contextual Safety Updates Amid Legal Scrutiny
