Forgot your password?
typodupeerror
Microsoft Bug Security

Microsoft Exchange Server Vulnerability Actively Exploited, in a Bad Week for Microsoft (securityweek.com) 12

Forbes describes it as "definitely already out there, and under active exploitation according to the U.S. Cybersecurity and Infrastructure Security Agency, urging all organizations to prioritize timely remediation as the attack vector poses a significant risk."

"We have issued CVE-2026-42897 to address a spoofing vulnerability affecting Exchange Outlook Web Access (OWA)," Microsoft told SecurityWeek. "We recommend customers enable EEMS to be better protected, and to follow our guidance available here." Microsoft this week patched 137 vulnerabilities with its Patch Tuesday updates and the cybersecurity industry was surprised to see that the latest updates did not address any zero-days. However, a zero-day was disclosed just 48 hours later, on May 14... described as a spoofing and XSS issue affecting Exchange Server Subscription Edition, 2016, and 2019. "Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network," Microsoft said in its advisory.

The company noted that the vulnerability affects Exchange Outlook Web Access (OWA) and an attacker can exploit it by sending a specially crafted email to the targeted user. "If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context," Microsoft explained.

CSO Online shares more details. "Admins should note there are known issues once the mitigation is applied either manually or automatically through the EM Service." - OWA Print Calendar functionality might not work. As a workaround, copy the data or screenshot the calendar you want to print, or use Outlook Desktop client.

- Inline images might not display correctly in the recipient's OWA reading pane. As a workaround, send images as email attachments or use Outlook Desktop client...

- Admins may get a message saying "Mitigation invalid for this Exchange version." in mitigation details. This issue is cosmetic and the mitigation does apply successfully if the status is shown as "Applied". Microsoft is investigating how to address this glitch.

Forbes notes "It's been something of a rough few days for Microsoft Exchange on the security vulnerability front," since this week also saw a zero-day demonstrated at the Pwn2Own Berlin hacking event, "which has been responsibly disclosed and not released into the wild." The Berlin event got off to a flying start on May 14 as Windows 11 was hit by no less than three zero-day exploits. On day two, hacking teams were no less successful, chaining together three new vulnerabilities in Microsoft Exchange in order to achieve the holy grail of SYSTEM-level remote code execution. Such was the level of this achievement that Orange Tsai from the DEVCORE Research Team was rewarded with a $200,000 bounty payment in return for immediately handing over all the technical details to the event organizers.
"This is, in fact, good news," Forbes writes, since "full details of the vulnerabilities underlying the exploits, along with the technical nature of the exploit code itself, will be handed over to Microsoft, which will then have 90 days to provide a fix before any details are made public."
This discussion has been archived. No new comments can be posted.

Microsoft Exchange Server Vulnerability Actively Exploited, in a Bad Week for Microsoft

Comments Filter:
  • by spaceman375 ( 780812 ) on Sunday May 17, 2026 @05:16PM (#66147813)

    Not a prediction, but a postdiction: Begun the cyberwars have. /yoda

  • been an Microsoft Exchange Server Vulnerability being Actively Exploited!
  • ... not for Microslop, who are just doing their business as usual, and won't squeeze any less money out of their vendor-locked-in victims.
  • by PPH ( 736903 ) on Sunday May 17, 2026 @07:38PM (#66147953)

    arbitrary JavaScript can be executed in the browser context

    ... the World Wide Web. How about just turning JavaScript off? We'd all be the better for it. [Well, except for web developers who can't close an HTML tag to save themselves.]

    • by tlhIngan ( 30335 )

      ... the World Wide Web. How about just turning JavaScript off? We'd all be the better for it. [Well, except for web developers who can't close an HTML tag to save themselves.]

      Then we'd be under attack by CSS viruses.

      (CSS is Turing-complete, mind you. It's just a bit arcane to use, but I'm sure AI will let you write the next CSS virus soon enough).

  • by Anonymous Coward
    "Security underpins every layer of our tech stack, and it's our number one priority "
    -- CEO Satya Nadella, 2024-04-25 earnings call

    "We are making security our top priority at Microsoft, above all else -- over all other features."
    -- Microsoft security chief Charlie Bell, 2024-05-03
    https://www.microsoft.com/en-u... [microsoft.com]

    ...yeah, right behind "making the world's shittiest software" and "getting paid".
  • by Mirnotoriety ( 10462951 ) on Monday May 18, 2026 @05:28AM (#66148527)
    To impede replication of the Windows platform, Microsoft employed extensive API entanglement, a strategy involving the tight coupling of the Windows kernel, core operating system (OS) components, and Microsoft applications through a dense network of proprietary APIs and undocumented internal dependencies (Campbell-Kelly, 2004; Raymond, 2001).

    This design created substantial barriers to third-party OS development, effectively raising the cost and complexity of software interoperability (Shapiro & Varian, 1999).

    The intricate interdependencies also contributed to challenges in system debugging and reverse engineering, as understanding the full operational context required navigating an opaque, non-public interface layer (Perry, 2001).
  • It's a good thing their fancy new New Outlook isn't just a web browser, opening a portal to OWA then...OH WAIT

As a computer, I find your faith in technology amusing.

Working...