Microsoft patches a critical on-prem Exchange flaw that could enable spoofing attacks
A newly disclosed vulnerability in on-premises Microsoft Exchange Server is drawing renewed attention from defenders who already treat mail infrastructure as one of the highest-risk assets in the enterprise. Tracked as CVE-2026-42897, the issue affects on-prem Exchange deployments and could allow spoofing activity through Outlook Web Access, one of the most widely used browser-based interfaces for corporate email.
The Hacker News reported that the problem is linked to a cross-site scripting weakness. In practice, that means a web application fails to properly neutralize attacker-controlled input, opening the door to malicious script execution inside otherwise legitimate pages.
Microsoft described the bug as an incorrect neutralization of input during web page generation. A remote attacker could abuse that weakness with specially crafted content designed to mislead a user and trigger malicious actions inside an active Outlook Web Access session.
While the company did not describe the issue as an internet-scale emergency, it did release urgent security updates and urged organizations to patch Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition as quickly as possible.
The incident is another reminder of how exposed Exchange environments remain. Over the last several years, Microsoft mail servers have repeatedly become high-value targets for ransomware crews, espionage operators, and state-linked actors. Previous flaws such as ProxyLogon and ProxyShell were widely used to compromise organizations around the world.
The strategic appeal is obvious: Exchange is often deeply integrated with directory services, enterprise authentication, and internal communications. Compromising a mail server can become a stepping stone to much broader access across the network.
Many Exchange environments also remain directly reachable from the public internet, which increases the attack surface. Historically, threat actors move quickly when new Exchange weaknesses are disclosed, exploiting the gap between patch release and patch deployment inside real organizations.
Defenders should apply the security fixes, review OWA-related logs, require multifactor authentication where possible, and reduce unnecessary exposure of administrative or web-facing Exchange surfaces.
The flaw also revives the broader debate around migration to managed cloud platforms such as Microsoft 365. Many organizations still rely on on-prem deployments for regulatory, operational, or compatibility reasons, but each new Exchange incident adds pressure to move toward platforms where patching and threat monitoring are handled more centrally.
For security teams, the lesson remains the same: mail servers are still among the most sensitive and operationally critical systems in a modern enterprise environment.