Critical Exchange Server Zero-Day Under Active Attack – Microsoft Issues Emergency Mitigations

Breaking: Microsoft Confirms Active Exploitation of Exchange Server Zero-Day CVE-2026-42897

Microsoft has urgently released mitigations for a critical zero-day vulnerability in Exchange Server, tracked as CVE-2026-42897, that is currently being exploited in the wild. The flaw affects all supported versions of Exchange Server, including 2016, 2019, and the Subscription Edition.

Critical Exchange Server Zero-Day Under Active Attack – Microsoft Issues Emergency Mitigations — Source: www.securityweek.com

Until a permanent patch is available, organizations must apply the provided mitigations immediately to prevent unauthorized access. The company warns that attackers are already leveraging this vulnerability to compromise email systems.

Technical Details and Impact

According to Microsoft’s advisory, the vulnerability allows remote code execution via a specially crafted request to the Exchange Control Panel (ECP). An unauthenticated attacker could exploit it to gain full control of the affected server.

“This is a high-severity issue that could lead to data exfiltration, credential theft, and lateral movement within networks,” said Dr. Sarah Mitchell, a cybersecurity researcher at ThreatLabs. “We have observed targeted attacks using this exploit against critical infrastructure sectors.”

The United States Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-42897 to its Known Exploited Vulnerabilities Catalog, urging federal agencies to apply mitigations by November 15.

Mitigations and Workarounds

Microsoft has published detailed workarounds that include restricting access to the ECP via IP address filtering and disabling certain Exchange services. However, these are temporary measures and may impact mail flow.

Background

Exchange Server has been a prime target for attackers over the past years. Notable incidents include the ProxyLogon (CVE-2021-26855) and ProxyShell vulnerabilities, which were widely exploited by ransomware groups and state-sponsored actors.

“The pattern is worrying: Microsoft’s Exchange products continue to be a high-value attack surface,” commented James Turner, VP of Products at SecureMail. “Each zero-day reinforces the need for defense-in-depth and faster patching cycles.”

The discovery of this zero-day was reported by researchers at ZeroDay Initiative and confirmed by Microsoft’s Security Response Center (MSRC).

What This Means

Organizations running Exchange Server should treat this as a critical incident. The mitigations are a stopgap; a permanent fix is expected to arrive in the December security update.

Until then, companies must monitor logs for suspicious ECP activity and segment Exchange servers from other internal systems. Failure to act could result in compromised email communications and regulatory penalties.

Next Steps for IT Teams

Apply Microsoft’s official mitigations immediately.
Check for signs of compromise using the Exchange Health Checker script.
Enable multi-factor authentication for all administrative accounts.

Microsoft’s advisory can be found here. Stay tuned for updates as the story develops.

Tags: