Microsoft Exchange Zero-Day Under Attack, No Patch Available

darkreading.com·May 18, 2026

CVE-2026-42897 is a cross-site scripting (XSS) vulnerability that enables attackers to compromise Outlook Web Access (OWA) mailboxes.

For a professional focused on cybersecurity and threat intelligence, the key takeaway is the importance of prioritizing the patching of CVE-2026-42897 to prevent exploitation through cross-site scripting in Outlook Web Access (OWA). This vulnerability highlights the need for continuous monitoring and updating of web-facing applications to mitigate the risk of mailbox compromises and protect sensitive information.

Want more content like this?

twixb tracks your favorite blogs and social media, filters by keywords, and delivers personalized key learnings — straight to your inbox.

Create Your Own →Explore Newsfeeds

More from Cybersecurity News

Recent stories curated alongside this one.

bleepingcomputer.com
Microsoft shares mitigation for YellowKey Windows zero-day
Microsoft has released mitigations for the YellowKey zero-day vulnerability in Windows BitLocker, which allows unauthorized access to protected drives.
risky.biz
Risky Business #838 -- GitHub investigates possible breach
In this week's cybersecurity podcast, hosts Patrick Gray, Adam Boileau, and James Wilson discuss significant news, including a potential GitHub breach, CISA's accidental leak of credentials, a critical Bitlocker vulnerability, and the Polish government's recommendation to switch messaging apps. The episode features guest Haroon Meer from Thinkst Canary, who emphasizes the importance of fundamental security practices.
risky.biz
Risky Bulletin: Microsoft takes down crime SaaS used by ransomware gangs
Microsoft has disrupted a malware-signing service utilized by ransomware gangs, while a contractor for CISA leaked sensitive GovCloud keys. Additionally, vulnerability exploitation has become the primary method for network breaches, and Drupal is preparing security updates for a critical vulnerability.
securityweek.com
Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector
Verizon's 2026 DBIR reports that vulnerability exploitation has surpassed credential abuse as the primary breach vector, driven by accelerated AI attacks, worsening patching delays, and rising incidents of ransomware and third-party compromises.
bleepingcomputer.com
Max-severity flaw in ChromaDB for AI apps allows server hijacking
A critical vulnerability in the latest Python FastAPI version of the ChromaDB project enables unauthenticated attackers to execute arbitrary code on vulnerable servers.

Browse all Cybersecurity News →

Microsoft Exchange Zero-Day Under Attack, No Patch Available

Want more content like this?

More from Cybersecurity News

Microsoft shares mitigation for YellowKey Windows zero-day

Risky Business #838 -- GitHub investigates possible breach

Risky Bulletin: Microsoft takes down crime SaaS used by ransomware gangs

Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector

Max-severity flaw in ChromaDB for AI apps allows server hijacking