Summary
Microsoft is warning of an actively exploited spoofing vulnerability (CVE-2026-42897) in on-premises Exchange Server that allows attackers to execute arbitrary JavaScript via Outlook Web Access XSS.
Take Action:
If you run on-premises Microsoft Exchange Server (2016, 2019, or Subscription Edition), make sure the Exchange Emergency Mitigation Service (EEMS) is enabled so the M2.1.x mitigation for CVE-2026-42897 is active, or run the Exchange on-premises Mitigation Tool manually if your network is air-gapped. Keep the mitigation on even if it breaks OWA Print Calendar or inline images, and check if you can apply the permanent patch once Microsoft releases it.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)