Skip to content

Microsoft Exchange: Zero-Day Vulnerability Under Active Attack

(Image: Titima Ongkantong/Shutterstock.com) A critical zero-day vulnerability has been discovered in Microsoft Exchange and is already being actively exploited by attackers. Administrators must respond immediately. Microsoft has issued a warning about an actively exploited zero-day vulnerability in Exchange [1]. The new software version has not yet been released. Microsoft also presents countermeasures that administrators should apply immediately. According to the vulnerability description [9993], the issue stems from insufficient input sanitization during webpage generation, resulting in a Cross-Site Scripting (XSS) flaw. Unauthenticated network attackers can exploit this to conduct spoofing attacks (CVE-2026-42897, CVSS 8.1, high risk). However, Microsoft rates the severity as “critical”. A blog post by the Microsoft Exchange Team [242897] explains this issue in detail, including the corresponding attack scenario and recommended countermeasures.

heise security News

Share on:
Tags: