Microsoft Exchange Server 0-Day Vulnerability Exploited in Attacks Using Weaponized Email
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Microsoft has confirmed active exploitation of a new zero\u2011day spoofing flaw<\/a> in on\u2011premises Exchange Server, tracked as CVE\u20112026\u201142897.<\/p>\n The flaw allows attackers to execute arbitrary JavaScript in Outlook Web Access (OWA)<\/a> simply by sending a weaponized email that a victim opens in a browser.<\/p>\n On May 14, 2026, Microsoft disclosed CVE\u20112026\u201142897 as a spoofing vulnerability in Exchange Outlook Web Access that stems from improper neutralization of user input during web page generation, essentially a cross\u2011site scripting (XSS) bug (CWE\u201179).<\/p>\n An unauthenticated attacker can send a specially crafted email. When the target opens it in OWA and specific interaction conditions are met, attacker\u2011supplied JavaScript executes in the browser context of the logged\u2011in user.<\/p>\n The flaw affects all update levels of Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE), while Exchange Online (Microsoft 365)<\/a> is not impacted.<\/p>\n Microsoft\u2019s exploitability assessment classifies the CVE as \u201cExploitation Detected<\/a>,\u201d confirming that real\u2011world attacks are already leveraging this issue.<\/p>\n CVE\u20112026\u201142897 is rated Critical with a CVSS v3.1 base score of 8.1, reflecting a network\u2011reachable attack that requires no privileges on the attacker side and only basic user interaction (opening an email in OWA).<\/p>\n Successful exploitation allows the attacker to execute JavaScript in the victim\u2019s browser session, enabling email spoofing, credential theft<\/a>, session hijacking, and actions performed on behalf of the compromised user.<\/p>\n Because the attack is delivered via email and triggers when content is rendered in OWA, it can bypass traditional attachment\u2011 or link\u2011focused security controls and blend into normal mailbox activity.<\/p>\n Microsoft notes that exploitation <\/a>has only been observed via OWA rendering Exchange Online and non\u2011OWA access paths are currently not known to be affected.<\/p>\n Microsoft\u2019s primary short\u2011term defense is the Exchange Emergency Mitigation (EM) Service, which is enabled by default on supported on\u2011premises Exchange servers and automatically deploys mitigation M2.1.x for CVE\u20112026\u201142897.<\/p>\n Organizations can verify mitigation status using the EM \u201cViewing Applied Mitigations\u201d guidance or the Exchange Health Checker script, which surfaces an EEMS check section in its HTML report.<\/p>\n For disconnected or air\u2011gapped environments, Microsoft provides the Exchange On\u2011Premises Mitigation Tool (EOMT), which applies CVE\u2011specific mitigations per server via a PowerShell script named PowerShell.ps1 with the CVE parameter.<\/p>\n These mitigations rely on browser Content Security Policy<\/a> and therefore do not protect users accessing OWA through Internet Explorer or Edge in Internet Explorer Mode, which lacks CSP support.<\/p>\n On June 9, 2026, Microsoft released Security Updates<\/a> (SUs) for Exchange SE RTM, Exchange Server 2019 CU14\/CU15, and Exchange Server 2016 CU23 that include a permanent fix for CVE\u20112026\u201142897, with the 2016\/2019 updates available only to customers in the Period 2 Extended Security Update (ESU) program.<\/p>\n Microsoft recommends installing the June 2026 SUs as soon as possible and keeping the CVE\u20112026\u201142897 mitigation<\/a> in place as an extra defense layer even after patching.<\/p>\n Microsoft warns that applying the mitigation (via EM Service or EOMT) may break or degrade certain OWA features, including calendar printing, inline image display in the reading pane, OWA Light, published calendars, and the OWACalendar proxy health set, which may trigger false alerts in monitoring systems.<\/p>\n These issues are expected to clear once organizations install the June 2026 update and then manually remove the mitigation if they choose to do so.<\/p>\n The June 2026 blog also highlights that EM and feature flighting services will stop consuming new configuration files from July 2026 unless Exchange servers are updated to at least the June 2026 level, reinforcing the need to move to current builds.<\/p>\n For organizations still on Exchange 2016\/2019 without Period 2 ESU, Microsoft advises migrating to Exchange SE to maintain access to future security fixes.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post Microsoft Exchange Server 0-Day Vulnerability Exploited in Attacks Using Weaponized Email<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nMicrosoft Exchange Server 0-Day Vulnerability<\/strong><\/h2>\n