"Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network,"
"Microsoft, which tagged the vulnerability with an "Exploitation Detected" assessment, said an attacker could weaponize it by sending a crafted email to a user, which, when opened in Outlook Web Access and subject to other "certain interaction conditions," can allow arbitrary JavaScript code to be executed in the context of the web browser."
"The Exchange Emergency Mitigation Service will provide the mitigation automatically via a URL rewrite configuration, and is enabled by default. It's not on, users are advised to enable the Windows service."
"If using the Exchange Emergency Mitigation Service is not an option due to air-gap restrictions, the company has outlined the following series of actions - Download the latest version of the Exchange on-premises Mitigation Tool (EOMT) from aka[.]ms/UnifiedEOMT. Apply the mitigation on a per-server basis or on all servers at once"
A security vulnerability affecting on-premises Microsoft Exchange Server has been reported as actively exploited in the wild. The issue, CVE-2026-42897 with a CVSS score of 8.1, is a spoofing flaw caused by cross-site scripting. An attacker can send a crafted email that, when opened in Outlook Web Access under certain interaction conditions, allows arbitrary JavaScript to execute in the user’s browser context. Microsoft provides a temporary mitigation through the Exchange Emergency Mitigation Service, which uses an automatic URL rewrite configuration and is enabled by default, with users advised to enable the Windows service if it is off. Exchange Online is not impacted. Affected versions include Exchange Server 2016, 2019, and Exchange Server Subscription Edition, all update levels. If the emergency service cannot be used, Microsoft recommends downloading and applying the latest Exchange on-premises Mitigation Tool per server or across all servers.
#microsoft-exchange-server #cve-2026-42897 #cross-site-scripting #on-premises-security #incident-mitigation
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]