Microsoft Exchange Zero-Day Under Attack, No Patch Available

Microsoft disclosed CVE-2026-42897, an actively exploited cross-site scripting zero-day in Exchange Outlook Web Access (OWA) affecting Exchange Server 2016, 2019, and Subscription Edition; successful exploitation can execute arbitrary JavaScript in the browser to access mailboxes, session tokens, and modify mailbox settings, enabling business email compromise or facilitating ransomware, and Microsoft recommends enabling the Exchange Emergency Mitigation Service or applying the updated Exchange On-premises Mitigation Tool while a security update is developed.