Why Microsoft Exchange Faced Two Major Security Breaks in the Same Week

Importantly, there was no evidence the Pwn2Own chain was being exploited in the wild at the time. Its disclosure primarily signaled that additional undisclosed vulnerabilities existed in Exchange and would need patching.

The Actively Exploited Exchange Zero‑Day: CVE‑2026‑42897

At nearly the same time, Microsoft warned of a separate vulnerability already being used in attacks.

The flaw, CVE‑2026‑42897, is an improper input neutralization vulnerability (cross‑site scripting) in Microsoft Exchange Server that can allow spoofing or malicious script execution through web interfaces such as Outlook Web Access.

Security reports indicated attackers could exploit the issue by delivering specially crafted content that executes JavaScript in the victim’s browser when viewed through OWA.

Affected versions

The vulnerability affects on‑premises Exchange deployments, including:

• Exchange Server 2016
• Exchange Server 2019
• Exchange Server Subscription Edition (SE)

Exchange Online was not affected, according to Microsoft guidance.

The issue carried a CVSS score around 8.1 (High severity) and was quickly added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming real‑world exploitation.

Microsoft’s Mitigation Guidance

Because the vulnerability was already being exploited before a permanent patch was available, Microsoft released temporary mitigations.

The primary mitigation relied on the Exchange Emergency Mitigation Service (EEMS), which can automatically apply defensive rules to servers.

For CVE‑2026‑42897, the service deployed a mitigation using URL Rewrite rules to block malicious requests targeting the vulnerable component.

Administrators were advised to:

• Ensure the Exchange Emergency Mitigation Service is enabled.
• Apply the security update once Microsoft releases a permanent patch.
• Monitor Exchange and IIS logs for suspicious activity.

CISA’s Response and KEV Listing

The vulnerability was quickly added to the CISA Known Exploited Vulnerabilities catalog, meaning U.S. federal civilian agencies must remediate it according to Binding Operational Directive (BOD) 22‑01 requirements.

In practice, KEV inclusion signals that organizations should treat the vulnerability as an urgent operational risk, not a theoretical weakness.

Typical remediation expectations include:

• Applying vendor patches or mitigations immediately
• Verifying exposure of internet‑facing services
• Removing or isolating vulnerable systems if mitigation is unavailable

Why These Incidents Matter for On‑Prem Exchange

Taken together, the two incidents illustrate why on‑premises Exchange servers continue to be attractive targets.

Several factors contribute to the risk:

1. Internet exposure
Exchange deployments commonly expose services such as Outlook Web Access to the public internet, increasing the attack surface.

2. High privilege value
Compromising Exchange often provides access to email data, authentication tokens, and potentially the broader Windows domain environment.

3. Multiple attack paths
The same week demonstrated both ends of the threat spectrum:

• sophisticated multi‑bug exploit chains discovered by researchers
• simpler web‑based vulnerabilities already used in real attacks

4. Patch timing gaps
The zero‑day showed that attackers can exploit vulnerabilities before fixes are released, forcing defenders to rely on temporary mitigations and monitoring.

The Bottom Line

The events surrounding Pwn2Own Berlin 2026 and CVE‑2026‑42897 reinforce a consistent pattern: on‑premises Exchange servers remain a critical security exposure point for many organizations.

While the Pwn2Own exploit demonstrated what skilled researchers can achieve in controlled conditions, the actively exploited zero‑day showed how quickly attackers move when a real vulnerability appears.

For organizations still running on‑premises Exchange, the practical takeaway is clear: minimize internet exposure, keep mitigation services enabled, and apply security updates as soon as they become available.