Exchange Server spoofing via XSS (CVE-2026-42897)

Actively exploited in the wild - CVE-2026-42897 is a high-severity cross-site scripting (XSS) vulnerability in Microsoft Exchange Server that lets an unauthenticated attacker perform spoofing attacks on any target user. Microsoft released a security update in March 2026; apply it immediately.

Overview

CVE-2026-42897 is a stored cross-site scripting (XSS) vulnerability in Microsoft Exchange Server caused by improper neutralization of user input during web page generation. An unauthenticated attacker can inject malicious scripts into Exchange web components, which execute when a victim user interacts with the crafted content.

The vulnerability carries a CVSS score of 8.1 (HIGH) with an attack vector of NETWORK and low attack complexity. No privileges are required to trigger the exploit, though user interaction is necessary for the attack to succeed.

Impact

An attacker exploiting CVE-2026-42897 can execute arbitrary JavaScript in the context of the victim’s Exchange session. This enables spoofing attacks where the attacker can:

• Forge email content or system notifications
• Trick users into revealing credentials
• Manipulate mailbox views and settings

Since this is actively exploited in the wild (CISA KEV confirmed), all Exchange Server instances are at immediate risk. The CISA KEV designation means US federal agencies must remediate by the specified due date.

Affected Versions

• Microsoft Exchange Server 2019
• Microsoft Exchange Server 2016

All cumulative updates (CUs) prior to the March 2026 Security Update are vulnerable.

Remediation

Apply the March 2026 Microsoft Exchange Server security update immediately. No workarounds or mitigations are available that fully address this vulnerability.

Additional recommended actions:

• Enable and review Exchange auditing logs for signs of script injection attempts
• Restrict Exchange web client access to trusted networks where possible
• Verify no unauthorized certificates or authentication tokens have been created

Related Threats

For broader context on current threat activity, see our Weekly Threat Roundup: APT28 DNS Hijacking (Apr 6-12, coverage of APT28 Hijacks SOHO Routers - Microsoft 365 Credentials, and analysis of Storm-1175 Exploits Zero-Days to Deploy Medusa.

Security Insight

The active exploitation of this XSS vulnerability in Exchange Server continues a pattern where Microsoft’s email platform remains a prime target for credential theft and spoofing campaigns. Unlike server-side RCE flaws that dominated Exchange CVEs in prior years, this client-side XSS vector shows attackers adapting to Microsoft’s improved patch posture by targeting the human element. Organizations should treat Exchange Server as a high-value asset that requires both technical patching and user awareness training to defend against evolving attack methods.

Further Reading

• Weekly Threat Roundup: APT28 DNS Hijacking (Apr 6-12
• APT28 Hijacks SOHO Routers - Microsoft 365 Credentials
• Storm-1175 Exploits Zero-Days to Deploy Medusa
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs