Microsoft warns of active exploitation of a zero-day cross-site scripting vulnerability (CVE-2026-42897, CVSS 8.1) in Microsoft Exchange Server affecting Outlook Web Access (OWA). Attackers can exploit it by sending a specially crafted email that, when opened in OWA, executes malicious JavaScript, leading to network spoofing and potential credential theft. While a permanent fix is pending, administrators are urged to apply the temporary mitigation measures Microsoft has released immediately.
Vulnerability Management Microsoft warns of active exploitation of new Exchange Server zero-day vulnerability May 15, 2026 Share By SC Staff (Credit: monticellllo – stock.adobe.com) As reported by Security Affairs, Microsoft has issued a warning regarding the active exploitation of a previously unknown zero-day vulnerability affecting Microsoft Exchange Server, identified as CVE-2026-42897. The vulnerability, a cross-site scripting flaw with a CVSS score of 8.1, specifically impacts Outlook Web Access (OWA). Attackers can exploit this by sending a specially crafted email that, when opened in OWA under certain conditions, executes malicious JavaScript. This allows for network-based spoofing and can provide attackers with a direct path into an organization's internal communications, credentials, and business workflows. Microsoft confirmed active exploitation in the wild but has not detailed specific attacks. While a permanent fix is pending, temporary mitigation measures have been released and administrators are urged to apply them immediately. The exploitation of Exchange Server zero-days is particularly dangerous due to the central role of email systems in organizations and the frequent internet-facing nature of many Exchange servers. This flaw surfaced shortly after Microsoft's May 2026 Patch Tuesday, which addressed 138 vulnerabilities. Source: Security Affairs SC Staff Related Vulnerability Management 10.0 Cisco Catalyst SD-WAN Controller bug added to CISA’s KEV list Steve Zurier May 15, 2026 Maximum-severity bug an authentication bypass flaw that’s considered the highest value target in an attacker’s playbook. Vulnerability Management WordPress Funnel Builder vulnerability exploited to steal payment data SC Staff May 15, 2026 The vulnerability in the Funnel Builder plugin, used by over 40,000 websites, allows unauthenticated attackers to modify global settings via an unprotected checkout endpoint. Vulnerability Management Critical vulnerability in Burst Statistics plugin allows admin takeover SC Staff May 15, 2026 The flaw, identified as CVE-2026-8181, was introduced in version 3.4.0 and persists in 3.4.1 of the Burst Statistics plugin, which is installed on approximately 200,000 WordPress sites. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds