Microsoft Exchange Zero-Day Under Attack, No Patch Available

A zero-day vulnerability in Microsoft Exchange, identified as CVE-2026-42897, is being actively exploited by attackers, allowing them to compromise Outlook Web Access mailboxes via a cross-site scripting vulnerability. This exploit enables attackers to gain unauthorized access to sensitive email accounts, posing a significant threat to organizations relying on Microsoft Exchange. The vulnerability is currently under discussion with Microsoft, and its exploitation status will determine the necessary course of action, either requiring immediate patching or close monitoring. As no patch is currently available, organizations are advised to exercise caution and consider temporary mitigations to reduce the risk of exploitation. The absence of a patch for CVE-2026-42897¹ makes it a pressing concern for security teams, who must carefully assess the situation and prepare for potential attacks, so what matters most to practitioners is staying vigilant and proactive in protecting their Exchange environments from this emerging threat.