Microsoft Releases Security Advisory for a Zero-Day Vulnerability in Exchange Server
Successful exploitation of CVE‑2026‑42897 could lead to arbitrary JavaScript execution in the browser context for users of on‑premises Microsoft Exchange Server deployments
Summary
Successful exploitation of CVE‑2026‑42897 could lead to arbitrary JavaScript execution in the browser context for users of on‑premises Microsoft Exchange Server deployments
Affected platforms
The following platforms are known to be affected:
Threat details
Exploitation of CVE-2026-42897
Microsoft has confirmed active exploitation of CVE-2026-42897 in the wild.
The NHS England National CSOC assesses further exploitation as highly likely.
Introduction
Microsoft has released a security advisory to address a high‑severity vulnerability in Microsoft Exchange Server. An attacker could exploit this vulnerability by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.
- CVE‑2026‑42897 – "Improper Neutralisation of Input During Web Page Generation" vulnerability – CVSS v3.1 score of 8.1
June 2026: Update to ensure continued function of Exchange Emergency Mitigation (EM) and Feature Flighting services
Microsoft has stated in its Released: June 2026 Exchange Server Security Updates advisory that, due to a service-side change, the Exchange Emergency Mitigation (EM) and Exchange Flighting services will be unable to use any new mitigations (from July 2026 onwards), unless the June 2026 update is applied.
The NHS England National CSOC strongly encourages affected organisations to update to Exchange June 2026 update as soon as possible.
Threat updates
| Date | Update |
|---|---|
| 11 Jun 2026 |
Updates released by Microsoft
The following items have been updated to reflect this change:
|
Remediation advice
Affected organisations are encouraged to review Microsoft's Released: June 2026 Exchange Server Security Updates and Microsoft Exchange Server Spoofing Vulnerability advisories and follow relevant updates as soon as possible.
Note: If organisations have already applied the mitigations in Microsoft's Addressing Exchange Server May 2026 vulnerability CVE‑2026‑42897 advisory, Microsoft recommends that customers keep the mitigations in place as they provide an additional layer of protection.
Definitive source of threat updates
- https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897
- https://techcommunity.microsoft.com/blog/exchange/released-june-2026-exchange-server-security-updates/4524491
Last edited: 11 June 2026 12:15 pm