Your Inbox Could Be the Entry Point: CISA Flags Actively Exploited Microsoft Exchange Flaw
A cross-site scripting vulnerability hiding inside Outlook Web Access is already being weaponized: and the clock is ticking for organizations still running on-premises Exchange.
There is a quiet but serious problem sitting inside many corporate email systems right now. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially confirmed that attackers are actively exploiting a vulnerability in Microsoft Exchange Server: and the attack surface is something almost every Exchange user touches daily: Outlook Web Access (OWA).
The flaw, tracked as CVE-2026-42897, is classified as a cross-site scripting (XSS) vulnerability. In plain terms, it allows an attacker to inject and execute malicious JavaScript code directly within a victim's browser: silently, and without needing elevated server access to pull it off.
What Exactly Is the Vulnerability?
The issue lies in the way Exchange Server generates web pages for Outlook Web Access during certain user interactions. When the application fails to properly handle and sanitize user-supplied input, it creates an opening for attackers to slip malicious script into the rendered page. The moment that script executes in a victim's browser, the attacker's foothold is established.
Technically, it falls under CWE-79: "Improper Neutralization of Input During Web Page Generation." This is one of the most common vulnerability classes in web security, but its prevalence doesn't make it any less dangerous. Quite the opposite: because XSS is so well-understood, threat actors have years of refined tooling to exploit it efficiently.
XSS flaws in enterprise email platforms are particularly dangerous because they sit right at the intersection of trusted sessions and sensitive communications: a dream target for attackers.
How an Attack Actually Unfolds
Here is a realistic picture of how this gets exploited. An attacker crafts a malicious link designed to trigger the XSS flaw. That link gets delivered: through a phishing email, a message in a shared system, or another social engineering method: to a target who is already logged into their Exchange mailbox via OWA. The moment the target clicks it, the injected JavaScript runs with the full privileges of their authenticated session.
From there, the consequences escalate quickly. An attacker with a live session token can read and exfiltrate emails, impersonate the victim in internal communications, harvest credentials, or use that initial access as a launchpad to push deeper into the network. Think of it as a skeleton key that fits the front door of your organization's most sensitive communications platform.
And while Microsoft has not publicly tied this specific CVE to any named ransomware group, CISA's decision to add it to the Known Exploited Vulnerabilities (KEV) catalog is itself a strong signal. That catalog only receives entries when exploitation in the wild has been confirmed: not suspected, not theorized. Confirmed.
Why Exchange Keeps Being a Target
This is not the first time Microsoft Exchange has landed in the security headlines, and it almost certainly will not be the last. Exchange servers are extraordinarily attractive targets: they handle enormous volumes of sensitive business communications, they typically hold authentication credentials, and in many organizations they are reachable directly from the internet. Attackers know this, and they prioritize these systems accordingly.
The 2021 ProxyLogon and ProxyShell campaigns demonstrated just how catastrophic unpatched Exchange vulnerabilities could be at scale: with tens of thousands of servers compromised within days of disclosure. While this incident involves a different class of flaw, the underlying dynamic is the same: Exchange is always in the crosshairs, and delay is not an option.
What Your Security Team Should Do Right Now
CISA's guidance is straightforward: apply the vendor-provided patch immediately. Microsoft has released a security update addressing this vulnerability, and organizations should prioritize deploying it across all Exchange Server instances without waiting for a scheduled maintenance window.
If patching is temporarily blocked by change management processes or operational constraints, CISA advises following Microsoft's alternative mitigations as an interim measure: but this should be a short bridge, not a long-term strategy. For systems where neither patching nor mitigation is immediately feasible, the recommendation is to consider taking the affected services offline until they can be secured.
- 1Identify all on-premises Microsoft Exchange Server deployments in your environment.
- 2Apply Microsoft's security patch for CVE-2026-42897 immediately: do not wait for routine patch cycles.
- 3If immediate patching is blocked, implement Microsoft's documented interim mitigations and escalate patching as a P1 priority.
- 4Review Exchange and OWA access logs for suspicious patterns: unusual authentication spikes, unexpected script execution events, or anomalous user behavior.
- 5Audit which Exchange services are internet-facing and consider restricting OWA access via VPN or conditional access policies as an additional control.
- 6Brief your incident response team on the indicators of compromise associated with XSS-based session hijacking.
The Bigger Picture
This incident is part of a broader and accelerating trend: threat actors are systematically targeting the tools that organizations rely on most for collaboration and communication. Email platforms, VPN gateways, and remote access portals have all seen a surge in targeting precisely because compromising them yields disproportionate access.
For organizations still running Exchange on-premises, this is also a timely moment to reassess whether that architecture still makes strategic sense relative to the ongoing security overhead it demands. Cloud-hosted solutions receive patches automatically and remove much of the burden of staying ahead of vulnerabilities like this one.
That said, the immediate priority is clear: patch now, audit your logs, and reduce your internet-facing exposure wherever possible. The attackers who are already exploiting this flaw are not waiting.