Exchange Server Security Update Fixes Exploited Outlook Web Access XSS Flaw

Microsoft has released security updates to fix an actively exploited Exchange Server vulnerability that could allow attackers to run malicious JavaScript code in users’ browsers through Outlook Web Access (OWA).

Tracked as CVE-2026-42897, the flaw is a cross-site scripting (XSS) vulnerability affecting Exchange Server 2016 and Exchange Server 2019, as well as Exchange Server Subscription Edition. Microsoft confirmed the vulnerability has been exploited in the wild and urged administrators to install the latest security updates as soon as possible.

According to Microsoft, attackers can exploit the issue remotely without authentication by sending a specially crafted email to a target user. If the victim opens the email through Outlook Web Access and certain interaction requirements are met, the attacker can execute arbitrary JavaScript code within the user’s browser session.

The vulnerability does not require the attacker to have privileges on the target Exchange Server. Instead, the attack relies on tricking users into interacting with a malicious email through the web-based Outlook interface.

Microsoft Already Deployed Temporary Mitigations

Before releasing the permanent fix, Microsoft rolled out automatic protections through the Exchange Emergency Mitigation Service in mid-May.

The temporary mitigation was designed to reduce the risk of exploitation while the company finalized and tested security updates for supported Exchange Server versions.

Microsoft says administrators should continue to keep the mitigation enabled even after installing the June 2026 security updates.

According to the company, the mitigation provides an additional layer of protection while Microsoft continues improving broader defenses against similar XSS-based attacks.

Organizations running any of these Exchange Server versions should deploy the latest June 2026 security updates immediately.

Microsoft Continues Security Push Across Windows and Exchange

The Exchange Server fix arrives as Microsoft continues addressing multiple security issues across its software ecosystem.

Earlier this week, the company released June 2026 Patch Tuesday updates that fixed more than 200 vulnerabilities, including several publicly disclosed zero-day flaws. Microsoft also recently addressed desktop.ini-related security concerns through KB5094126 and KB5093998.

Separately, security researchers have drawn attention to the RoguePlanet exploit, a Microsoft Defender race-condition vulnerability that reportedly allows attackers to obtain SYSTEM privileges on fully patched Windows systems under certain conditions.

Exchange administrators should prioritize deployment of the latest security updates and maintain Microsoft’s emergency mitigations to reduce exposure to ongoing attacks.

Via BleepingComputer