TECHNOLOGY SECURITY ✓ Verified

Exploited Exchange Server flaw turns OWA inboxes into script launchpads

🔴 BREAKING

Microsoft admits Exchange Server flaw CVE-2026-42897 is exploited, letting attackers run JavaScript in Outlook Web Access browsers. Affected versions: 2016, 201

Microsoft warned admins on Thursday that attackers are exploiting a flaw in on-premises Exchange Server, letting them sneak JavaScript into victims’ browsers through Outlook Web Access (OWA). The bug, tracked as CVE-2026-42897 with a CVSS score of 8.1, hits Exchange 2016, 2019, and the latest Subscription Edition regardless of patch level.

By GlobalBR News · via The Register

May 15, 2026 at 7:51 AM UTC

5 min read

Text size:

TL;DR

Hackers are running JavaScript in OWA browsers by exploiting a Microsoft Exchange Server flaw tracked as CVE-2026-42897.

Exploited Exchange Server flaw turns OWA inboxes into script launchpads — A laptop screen showing the Outlook Web Access login page with a warning pop-up about a detected security issue.

Key Points

Microsoft confirms Exchange Server flaw CVE-2026-42897 is under attack
Attackers inject JavaScript into victims' browsers via Outlook Web Access
Affected versions include Exchange Server 2016, 2019, and Subscription Edition

Microsoft issued an advisory late Thursday confirming active exploitation of a spoofing vulnerability in on-premises Exchange Server that turns Outlook Web Access (OWA) into a launching pad for JavaScript execution. The flaw, tracked as CVE-2026-42897, carries a CVSS score of 8.1—high severity—and affects Exchange Server 2016, Exchange Server 2019, and the latest Subscription Edition (SE), regardless of whether systems have up-to-date patches installed.

The vulnerability stems from a cross-site scripting issue that lets attackers craft emails which, when opened in OWA, trigger arbitrary JavaScript execution inside the victim’s browser. Microsoft’s advisory notes that exploitation requires ‘certain interaction conditions’ to be met, but it doesn’t specify what those are. What’s clear is that attackers are already using this vector in the wild, meaning organizations running on-prem Exchange are at immediate risk.

Why admins should worry

OWA is often the front door to corporate email systems, and a browser-based attack here bypasses many traditional defenses. Since the flaw allows JavaScript to run in the user’s browser context, attackers can harvest session cookies, steal credentials, or plant secondary malware without ever touching the Exchange server itself. Microsoft hasn’t released a patch yet, so the only immediate mitigations are behavioral: users should avoid clicking suspicious links or opening unexpected emails in OWA until a fix arrives.

Exchange Server 2016, 2019, and SE are all in the crosshairs. The Subscription Edition, the newest release, is included in the warning, which means even recently updated systems aren’t safe. Security researchers say the bug resembles older OWA spoofing flaws that Microsoft has patched in the past, but this one has slipped through with a higher severity rating and active exploitation.

What’s next for Microsoft

Microsoft typically rolls out fixes on Patch Tuesday, the second Tuesday of each month. Given the active exploitation and high severity, many expect an out-of-band patch sooner rather than later. In the meantime, the company recommends admins enable OWA security features like Safe Links and Safe Attachments, which can block some malicious payloads before they reach users. Organizations should also review OWA access logs for unusual activity and consider temporarily restricting OWA access to trusted networks only.

The flaw highlights how attackers keep targeting Exchange because it’s a rich target: single sign-on, corporate email, and often direct access to internal resources. Unlike cloud-based Exchange Online, on-prem systems don’t get automatic updates, so admins must stay vigilant. The clock is ticking until Microsoft ships a fix—and until then, inboxes are effectively script launchpads for anyone with an exploit.

What You Need to Know

Source: The Register
Published: May 15, 2026 at 11:51 UTC
Category: Technology
Topics: #theregister · #tech · #enterprise · #security · #vulnerability · #exploited-exchange-server

Read the Full Story

This is a curated summary. For the complete article, original data, quotes and full analysis:

Read the full story on The Register →

All reporting rights belong to the respective author(s) at The Register. GlobalBR News summarizes publicly available content to help readers discover the most relevant global news.

Curated by GlobalBR News · May 15, 2026

🇧🇷 Resumo em Português

Um novo golpe digital expõe usuários do Outlook Web Access (OWA) no Brasil e no mundo, mostrando como cibercriminosos estão cada vez mais ousados em explorar falhas em ferramentas corporativas essenciais. A Microsoft confirmou que hackers já estão aproveitando uma vulnerabilidade crítica no Exchange Server, identificada como CVE-2026-42897, permitindo a execução de scripts maliciosos diretamente nas caixas de entrada de usuários que acessam o serviço via navegador. Com milhões de empresas brasileiras dependentes do Exchange para comunicação interna, o alerta acende um sinal vermelho sobre os riscos de segurança cibernética no país.

A brecha afeta versões do Exchange Server 2016 e 2019 — amplamente adotadas por organizações no Brasil —, e possibilita que invasores injetem códigos JavaScript maliciosos no OWA sem necessidade de interação do usuário. Especialistas destacam que o ataque pode ser usado para roubar credenciais, espionar comunicações ou até mesmo implantar ransomware, ampliando o leque de prejuízos além do ambiente digital. Para um país onde o cibercrime já movimenta bilhões anualmente, a descoberta reforça a urgência de atualizações urgentes e fiscalização redobrada nos sistemas corporativos, especialmente aqueles conectados à nuvem.

A Microsoft prometeu um patch para corrigir a falha em breve, mas até lá, a recomendação é clara: empresas brasileiras devem priorizar a aplicação de medidas paliativas e reforçar a conscientização de colaboradores sobre os perigos de phishing disfarçados de e-mails legítimos.

🇪🇸 Resumen en Español

Una grave vulnerabilidad en Microsoft Exchange Server ha abierto una nueva vía para que ciberdelincuentes infecten equipos mediante Outlook Web Access (OWA), demostrando que el correo corporativo sigue siendo un eslabón débil en la seguridad empresarial. La falla, identificada como CVE-2026-42897, permite ejecutar código malicioso en los navegadores de los usuarios sin necesidad de autenticación avanzada, lo que la convierte en un arma potencialmente devastadora para ataques dirigidos.

El problema afecta a versiones aún en uso de Exchange Server (2016 y 2019), sistemas que muchas empresas hispanohablantes mantienen por su estabilidad, ignorando que su exposición crece con el tiempo. La explotación de esta brecha no solo compromete la confidencialidad de los mensajes, sino que abre la puerta a campañas de phishing más sofisticadas o al robo de credenciales. Con el teletrabajo consolidado y OWA como herramienta clave para millones de empleados, la urgencia de parchear —cuando Microsoft aún no ha lanzado un parche oficial— subraya la necesidad de revisar protocolos de seguridad y concienciar a los usuarios sobre los riesgos de clicar en enlaces sospechosos, incluso dentro de entornos corporativos aparentemente seguros.

Original Source

The Register

Read full article at The Register →

This post is a curated summary. All rights belong to the original author(s) and The Register.

#theregister #tech #enterprise #security #vulnerability #exploited-exchange-server #microsoft #exchange-server #outlook-web-access #java #microsoft-exchange-server-vulnerability #exchange-server-cve-2026-42897 #owa-javascript-injection #exchange-server-2016-vulnerability #exchange-server-2019-flaw #microsoft-exchange-server-exploit #outlook-web-access-security-issue #cve-2026-42897-active-exploitation #on-premises-exchange-server-risk #microsoft-exchange-server-javascript-attack

Key Topics: Microsoft Exchange Server Outlook Web Access CVE-2026-42897 CVSS

Was this article helpful?

Discussion

Frequently Asked Questions

What is CVE-2026-42897 and how does it work?

CVE-2026-42897 is a spoofing vulnerability in Microsoft Exchange Server that lets attackers inject JavaScript into a victim’s browser via Outlook Web Access. It’s triggered by a specially crafted email and doesn’t require the user to click anything beyond opening the email in OWA under certain conditions.

Which versions of Exchange Server are affected?

The flaw impacts Exchange Server 2016, Exchange Server 2019, and the latest Subscription Edition, regardless of patch level. Microsoft hasn’t issued a fix yet, so all on-premises systems in these versions are at risk.

Has anyone been hit by this exploit already?

Yes, Microsoft confirmed in its advisory that the flaw is being actively exploited in the wild. Attackers are already using it to run JavaScript in victims’ browsers through OWA.

What should I do if I run an on-prem Exchange Server?

Disable OWA access temporarily if possible, enable Safe Links and Safe Attachments in your OWA policies, and monitor access logs for unusual activity. Watch for an out-of-band patch from Microsoft and apply it as soon as it’s available.

How serious is the CVSS score of 8.1?

A CVSS score of 8.1 means high severity. It indicates the flaw is easy to exploit with a big impact—likely allowing attackers to steal data or take control of user sessions. This rating justifies urgent action from admins.

`/`	Focus search
`j`	Next post
`k`	Previous post
`h`	Go home
`?`	Show this help

Why admins should worry

What’s next for Microsoft

What You Need to Know

Read the Full Story

Related Articles

🇧🇷 Resumo em Português

🇪🇸 Resumen en Español

Discussion

Frequently Asked Questions

Related Articles

Why Prolog’s quirks make coding feel like a horror movie

Microsoft Teams retires Together Mode after pandemic-era meetings

OpenClaw’s new security steps for safer AI assistants explained

Get today's top stories →