CVE-2026-42897: Microsoft Exchange Server Spoofing Vulnerability

Overview

Severity

High (CVSS 8.1)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C

Category

Spoofing

Exploit Status

Actively Exploited

Exploitation Likelihood

Detected

Patch Tuesday

2026-May

Released

2026-05-14

Last Updated

2026-06-09

EPSS Score

5.64% (percentile: 92.0%)

CISA KEV

Listed — due 2026-05-29

Description

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

FAQ

How could an attacker exploit this vulnerability? An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context. How do I protect my Exchange Server from this vulnerability? The Exchange Emergency Mitigation Service will provide mitigation automatically, and is on by default. If it is not already enabled on your Exchange Server, you need to enable Exchange Emergency Mitigation Service. You can find more information and instruction in the Exchange blog here. Am I protected from this vulnerability if I am running Internet Explorer or Edge with Internet Explorer Mode? No, because Content Security Policy (CSP) is not supported by Internet Explorer nor Microsoft Edge using Internet Explorer Mode. To stay protected, please make sure to not use Internet Explorer (Mode) to access OWA. Why are there no links to updates in the Security Update Table? Microsoft is supplying a temporary mitigation for this vulnerability through the Exchange Emergency Mitigation Service. We are working on developing and testing a more permanent fix which we will provide when it meets our quality standards. Update 6/9/2026 Microsoft recommends installing the June 2026 Security Updates for your version of Exchange Server as soon as possible to be protected from this vulnerability. As part of our ongoing efforts to strengthen security and improve defenses across environments, we continue to enhance protections for cross-site scripting attacks. We recommend that customers keep the mitigation describe in place. The mitigation provides an additional layer of defense and helps ensure continuous protection as further improvements are released. Additional updates will be shared as they become available. Please see the exchange blog post for more information.

Known Exploits (1)

• Microsoft Exchange Server Cross-Site Scripting Vulnerability — added 2026-05-15T11:24:36Z

Detection & Weaponization (1 sources)

Maturity: Exploit

• GitHub PoC: 1 repositories

Affected Products (4)

ESU

• Microsoft Exchange Server 2016 Cumulative Update 23
• Microsoft Exchange Server 2019 Cumulative Update 14
• Microsoft Exchange Server 2019 Cumulative Update 15

Server Software

• Microsoft Exchange Server Subscription Edition RTM

Security Updates (1)

• 5094139

Acknowledgments

Anonymous

Revision History

• 2026-05-14: Information published.
• 2026-05-18: Updated FAQ information. This is an informational change only.
• 2026-06-09: Added links to June 2026 Exchange Server security updates. Microsoft recommends installing this updates as soon as possible.