**Microsoft** has rolled out critical patches for an actively exploited vulnerability affecting **Exchange Server**. The flaw, identified as **CVE-2026-42897**, is a high-severity spoofing vulnerability that enables threat actors to execute arbitrary JavaScript code within **Outlook Web Access** (OWA) sessions. ### The Vulnerability Explained **CVE-2026-42897** impacts **Exchange Server 2016**, **Exchange Server 2019**, and **Exchange Server Subscription Edition (SE)**. It can be exploited by remote attackers without requiring any prior privileges. The attack vector involves sending a specially crafted email to a user. If the user opens this email in **Outlook Web Access** and specific interaction conditions are met, malicious JavaScript can be executed within the user's browser context. ### Microsoft's Response and Mitigation **Microsoft** first addressed this issue in mid-May by deploying automatic temporary mitigations through the **Exchange Emergency Mitigation Service (EEMS)**. However, yesterday, the company released full security updates to permanently resolve the flaw in affected **Exchange Server** installations. Admins are strongly advised to deploy these June 2026 Security Updates as soon as possible. **Microsoft** also recommends keeping the previously implemented mitigations in place, as they provide an additional layer of defense and ensure continuous protection. ### CISA's Warning and Historical Context The **Cybersecurity and Infrastructure Security Agency (CISA)** has added **CVE-2026-42897** to its **Known Exploited Vulnerabilities Catalog**, highlighting its active exploitation in the wild. **CISA** mandated U.S. government agencies to patch their servers within two weeks of the alert, by May 29. This is not an isolated incident for **Microsoft Exchange Server**. Over the past five years, **CISA** has cataloged 20 **Exchange Server** vulnerabilities as actively exploited, with ransomware gangs leveraging 14 of them. In October, following the end-of-support for **Exchange 2016** and **2019**, **CISA** and the **National Security Agency (NSA)** also issued joint guidance on hardening **Exchange servers** against potential attacks. Organizations running affected **Exchange Server** versions must prioritize the immediate application of these security updates to safeguard their environments against ongoing threats.