Attackers are already weaponizing this flaw against real targets
In the quiet infrastructure that carries the world's correspondence, a vulnerability has opened a door that should remain closed. On May 15, 2026, the U.S. Cybersecurity and Infrastructure Security Agency confirmed that attackers are actively exploiting a critical flaw in Microsoft Exchange Server — one that turns an ordinary email into a vessel for intrusion. The flaw, CVE-2026-42897, reminds us that the tools we trust most are often the ones that require the most vigilance, and that in the digital age, a single opened message can become the threshold through which an entire organization is compromised.
- A critical cross-site scripting flaw in Outlook Web Access allows attackers to execute malicious JavaScript simply by convincing a user to open a crafted email — no exotic technique required.
- CISA's addition of CVE-2026-42897 to its Known Exploited Vulnerability Catalog is a live alarm, not a forecast — real attackers are already targeting real organizations right now.
- The blast radius of a successful exploit is severe: stolen session tokens, harvested credentials, and a potential foothold for deeper network penetration all flow from a single browser-side code execution.
- Microsoft has not yet delivered a permanent patch, leaving organizations dependent on a temporary Emergency Mitigation Service workaround while the clock runs down.
- Every Exchange Server installation running versions 2016 through the current Subscription Edition sits within the vulnerability's reach, and the window between disclosure and widespread exploitation is historically measured in hours.
On May 15, 2026, the U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-42897 — a critical flaw in Microsoft Exchange Server — to its Known Exploited Vulnerability Catalog, signaling that active attacks are already underway. The vulnerability resides in Outlook Web Access, the browser-based email interface used widely across organizations, and it operates through a disarmingly simple mechanism: a specially crafted email, once opened and interacted with, causes the attacker's JavaScript to execute inside the victim's browser session.
From that foothold, the consequences compound quickly. An attacker can steal session tokens, capture credentials, and use that access as a launchpad for deeper movement through an organization's network. Microsoft disclosed the flaw on May 14, rating it critical, while NIST assigned it a CVSS score of 8.1. Affected versions span Exchange Server 2016 through the current Subscription Edition — a broad surface covering systems still in widespread enterprise use.
No permanent patch exists yet. Microsoft is offering a temporary mitigation through its Exchange Emergency Mitigation Service, buying time while a full fix is developed. But the urgency is unambiguous: CISA's catalog entry means exploitation is not a hypothetical. For organizations still running vulnerable versions without mitigations in place, the exposure is active and the margin for delay is gone.
On May 15, the U.S. Cybersecurity and Infrastructure Security Agency formally added a dangerous flaw in Microsoft Exchange Server to its catalog of vulnerabilities actively being exploited in the wild. The flaw, tracked as CVE-2026-42897, is a cross-site scripting weakness that lives in the web-based version of Outlook and can allow attackers to run arbitrary code inside a user's browser.
The vulnerability works through a deceptively simple attack vector: an attacker crafts a malicious email and sends it to a target. When that person opens the message in Outlook Web Access—the browser-based interface many organizations use to access email—and takes certain actions within the interface, the attacker's JavaScript code executes in the user's browser session. From there, the damage can cascade. An attacker with code execution in that context can steal session tokens, harvest credentials, or pivot deeper into the organization's network.
Microsoft disclosed the flaw on May 14 and immediately flagged it as critical severity. The National Institute of Standards and Technology assigned it a CVSS severity score of 8.1, which falls into the "high" category by that metric's standards, though Microsoft's own assessment is more dire. The company has confirmed that the vulnerability affects multiple versions of Exchange Server still in widespread use: Exchange Server 2016 Cumulative Update 23, Exchange Server 2019 Cumulative Update 14 and 15, and the latest Subscription Edition release.
What makes this threat urgent is that exploitation is not theoretical. CISA's addition of CVE-2026-42897 to its Known Exploited Vulnerability Catalog means the agency has evidence that attackers are already weaponizing this flaw against real targets. The catalog serves as a public warning to organizations: this is not a future problem. This is happening now.
Microsoft has not yet released a permanent patch. Instead, the company is offering a temporary workaround through its Exchange Emergency Mitigation Service, which can be deployed to reduce exposure while a full fix is being developed. The company has published technical details about how the vulnerability can be exploited, giving organizations the information they need to understand their risk and, in some cases, implement defensive measures on their own.
For any organization running Exchange Server, the calculus is straightforward: systems running vulnerable versions are exposed to attackers who are actively looking for entry points. The window between public disclosure and widespread exploitation is typically measured in hours or days, not weeks. Organizations that have not yet applied mitigations or begun planning for patches are operating on borrowed time.
Notable Quotes
An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.— Microsoft advisory
The Hearth Conversation Another angle on the story
Why does a cross-site scripting flaw in email software rise to the level of critical? Isn't that mostly a web application concern?
Because Outlook Web Access is where the vulnerability lives, and that's often the only way employees access email from outside the office. An attacker doesn't need to break into the server itself—they just need to get a user to open a malicious email. Once JavaScript runs in that browser context, the attacker has the same access the user does.
So the attacker could read someone's emails, or impersonate them?
Exactly. They could steal session cookies, harvest credentials, read sensitive messages, or use that foothold to move laterally into other systems on the network. It's a door into the organization.
Why is Microsoft still offering only a temporary fix?
Permanent patches take time to develop and test without breaking other functionality. In the meantime, the Emergency Mitigation Service buys organizations breathing room—it's not perfect, but it reduces the attack surface while the real fix is being built.
How many organizations are actually vulnerable?
Anyone running Exchange Server 2016, 2019, or the Subscription Edition without the mitigation applied. That's a lot of organizations. Exchange is ubiquitous in enterprise environments.
What should someone do if they're running one of those versions?
Apply the temporary mitigation immediately, then prioritize getting the permanent patch the moment Microsoft releases it. Waiting is not an option when attackers are already exploiting the flaw.