Microsoft confirmed a zero-day spoofing vulnerability, identified as CVE-2026-42897, in its on-premises Exchange Server products. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities Catalog following reports of active exploitation.
The vulnerability allows for unauthenticated remote code execution through a maliciously crafted email viewed in Outlook Web Access. This flaw affects Exchange Server 2016, 2019, and the Subscription Edition.
Microsoft issued emergency mitigation guidance for affected on-premises customers. Exchange Online remains unaffected by this specific security vulnerability. The disclosure underscores persistent security risks associated with on-premises enterprise communication systems.