Skip to main content

Microsoft Releases Security Advisory for a Zero-Day Vulnerability in Exchange Server

Successful exploitation of CVE‑2026‑42897 could lead to arbitrary JavaScript execution in the browser context for users of on‑premises Microsoft Exchange Server deployments

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Successful exploitation of CVE‑2026‑42897 could lead to arbitrary JavaScript execution in the browser context for users of on‑premises Microsoft Exchange Server deployments


Threat details

Exploitation of CVE-2026-42897

Microsoft has confirmed active exploitation of CVE-2026-42897 in the wild.

The NHS England National CSOC assesses further exploitation as highly likely.


Introduction

Microsoft has released a security advisory to address a high‑severity vulnerability in Microsoft Exchange Server. An attacker could exploit this vulnerability by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.

  • CVE‑2026‑42897 – "Improper Neutralisation of Input During Web Page Generation" vulnerability – CVSS v3.1 score of 8.1

June 2026: Update to ensure continued function of Exchange Emergency Mitigation (EM) and Feature Flighting services

Microsoft has stated in its Released: June 2026 Exchange Server Security Updates advisory that, due to a service-side change, the Exchange Emergency Mitigation (EM) and Exchange Flighting services will be unable to use any new mitigations (from July 2026 onwards), unless the June 2026 update is applied.

The NHS England National CSOC strongly encourages affected organisations to update to Exchange June 2026 update as soon as possible.


Threat updates

Date Update
11 Jun 2026 Updates released by Microsoft

The following items have been updated to reflect this change:

  • Remediation advice
  • June 2026: Update to ensure continued function of Exchange Emergency Mitigation (EM) and Feature Flighting services
  • Definitive source of threat updates

Remediation advice

Affected organisations are encouraged to review Microsoft's Released: June 2026 Exchange Server Security Updates and Microsoft Exchange Server Spoofing Vulnerability advisories and follow relevant updates as soon as possible.

Note: If organisations have already applied the mitigations in Microsoft's Addressing Exchange Server May 2026 vulnerability CVE‑2026‑42897 advisory, Microsoft recommends that customers keep the mitigations in place as they provide an additional layer of protection.



Last edited: 11 June 2026 12:15 pm