Microsoft Reveals Actively Exploited Security Flaw in Exchange Server

Microsoft disclosed a security vulnerability (CVE-2026-42897) with a CVSS score of 8.1 affecting on-premise versions of Exchange Server, which has been actively exploited in the wild. The flaw is described as a spoofing bug arising from a cross-site scripting (XSS) vulnerability. An anonymous researcher was credited with discovering and reporting the issue. The vulnerability impacts on-premise Exchange Server deployments, though no specific exploitation timeline or affected versions were detailed. No additional technical or mitigation details were provided in the disclosure.