Skip to content

Microsoft Exchange Server Zero-Day Actively Exploited in the Wild

Dark Reading · Story 4 of 6

Microsoft has confirmed active exploitation of a zero-day vulnerability in Exchange Server, tracked as CVE-2026-42897. The vulnerability affects the Outlook Web Access (OWA) component and allows an unauthorized attacker to execute spoofing attacks against fully updated Exchange Server 2016 and Exchange Server 2019 installations.

The flaw is particularly dangerous because it can be triggered simply by a target opening a malicious email, requiring no additional user interaction beyond that initial action. Microsoft disclosed the vulnerability on May 14 as part of its security update guidance, describing active attacks in the wild.

As of May 25, no permanent patch is available. Microsoft has released emergency mitigation guidance and is urging all Exchange Server administrators to apply the recommended mitigations immediately. The mitigation involves configuring specific URL rewrite rules in the Exchange Server's web.config file to block the attack vectors.

This is the latest in a string of serious Exchange Server vulnerabilities that have plagued organizations since the ProxyLogon attacks of 2021. Exchange Server remains a high-value target for threat actors because of its ubiquitous deployment in enterprise environments and the direct access it provides to organizational email and calendar data.

Security researchers note that organizations running on-premises Exchange Server face the highest risk, while Exchange Online (Microsoft 365) customers are protected by Microsoft's cloud infrastructure. The vulnerability underscores the ongoing risks of self-hosted email infrastructure and the importance of rapid incident response capabilities.

Administrators should also review Exchange Server logging for signs of exploitation, including unusual OWA access patterns and unexpected authentication attempts from external sources.

Analysis
Live

Another month, another critical Exchange zero-day. The pattern is clear: on-premises Exchange is a persistent liability. Organizations still self-hosting email should treat this as another data point in the business case for migrating to cloud-based email, or at minimum ensure their emergency patching procedures can execute within hours.

Frequently Asked Questions
What should Exchange Server administrators do right now?

Apply Microsoft's emergency mitigation (URL rewrite rules in web.config) immediately, audit OWA logs for unusual access patterns, and monitor for the upcoming permanent patch. Exchange Online/M365 customers are not affected.