Microsoft has confirmed that a newly disclosed security vulnerability affecting on-premise versions of its Exchange Server is being actively exploited in the wild. The company issued an advisory detailing the flaw, which carries a CVSS score of 8.1, indicating a high severity level. The exploitation targets specific installations of the email and calendaring server software used by organizations worldwide.

Designated as CVE-2026-42897, the vulnerability has been classified as a spoofing bug. According to Microsoft, the root cause of the vulnerability lies in a cross-site scripting (XSS) flaw. Cross-site scripting vulnerabilities occur when an application includes untrusted data in a web page without proper validation or escaping. In this context, it allows an attacker to inject malicious scripts into a web page viewed by other users.

Microsoft reported that an anonymous researcher discovered and reported the issue. The company did not provide further details regarding the researcher’s identity or affiliation. The disclosure followed standard coordinated vulnerability disclosure protocols, allowing Microsoft time to develop and release a security update before publicizing the flaw.

Attack Vector and Exploitation Method

Microsoft stated that the vulnerability can be exploited through a specially crafted email. An attacker would send a malicious email to a target Exchange Server. When the server processes the email, the spoofing vulnerability could be triggered. A successful exploit could allow an attacker to impersonate a legitimate user or source, potentially leading to unauthorized access or data compromise.

The company did not specify the geographic regions or sectors most affected by the active exploitation. However, given the widespread deployment of on-premise Exchange Server in enterprise and government environments, the potential impact is significant. Organizations that have not applied the latest security patches are at heightened risk.

Impact Assessment and Affected Versions

Microsoft indicated that the vulnerability affects supported versions of on-premise Microsoft Exchange Server. The CVSS score of 8.1 reflects the potential for high confidentiality impact, though the attack complexity remains low. An attacker would need network access to the target system but does not require prior authentication or user interaction beyond the initial email delivery.

The security bulletin urged administrators to prioritize the installation of the latest cumulative updates (CUs) and security patches. Microsoft noted that fully updated systems are protected against this specific exploitation campaign. The company also recommended enabling advanced threat protection features and reviewing email security configurations to mitigate similar risks.

Industry Context and Mitigation Guidance

This incident follows a pattern of targeted attacks against on-premise email infrastructure. Exchange Server has historically been a frequent target for threat actors, with multiple high profile vulnerabilities disclosed and exploited in recent years. The current campaign underscores the importance of maintaining rigorous patch management practices.

Microsoft advised organizations to implement network segmentation, apply the principle of least privilege, and monitor for unusual email processing activity. Security researchers also recommend reviewing Exchange Server logs for signs of unauthorized script execution or anomalous outbound network connections. These steps can help detect potential exploitation attempts even before a patch is applied.

For organizations unable to immediately patch, Microsoft suggested using the Exchange Server URL rewrite module to block known malicious patterns. The company also provided detection guidance through its Microsoft 365 Defender portal, which can alert administrators to suspicious activity related to this vulnerability.

Forward Looking Guidance and Next Steps

Microsoft is expected to continue monitoring the threat landscape for further exploitation of CVE-2026-42897. The company typically rolls out security updates through its monthly Patch Tuesday cycle, though emergency out-of-band patches may be issued if active exploitation escalates. Administrators should subscribe to the Microsoft Security Response Center (MSRC) notifications for the latest updates.

Organizations that have not yet deployed the latest Exchange Server cumulative updates are strongly urged to do so immediately. Regular security audits and vulnerability scanning should be incorporated into standard operational procedures to minimize exposure to future threats. As with all critical vulnerabilities, timely patching remains the most effective defense against active exploitation campaigns.

Source: Delimiter