Critical Exchange Server Zero-Day Under Active Attack – Microsoft Issues Emergency Mitigations
Breaking: Microsoft Confirms Active Exploitation of Exchange Server Zero-Day CVE-2026-42897
Microsoft has urgently released mitigations for a critical zero-day vulnerability in Exchange Server, tracked as CVE-2026-42897, that is currently being exploited in the wild. The flaw affects all supported versions of Exchange Server, including 2016, 2019, and the Subscription Edition.
Until a permanent patch is available, organizations must apply the provided mitigations immediately to prevent unauthorized access. The company warns that attackers are already leveraging this vulnerability to compromise email systems.
Technical Details and Impact
According to Microsoft’s advisory, the vulnerability allows remote code execution via a specially crafted request to the Exchange Control Panel (ECP). An unauthenticated attacker could exploit it to gain full control of the affected server.
“This is a high-severity issue that could lead to data exfiltration, credential theft, and lateral movement within networks,” said Dr. Sarah Mitchell, a cybersecurity researcher at ThreatLabs. “We have observed targeted attacks using this exploit against critical infrastructure sectors.”
The United States Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-42897 to its Known Exploited Vulnerabilities Catalog, urging federal agencies to apply mitigations by November 15.
Mitigations and Workarounds
Microsoft has published detailed workarounds that include restricting access to the ECP via IP address filtering and disabling certain Exchange services. However, these are temporary measures and may impact mail flow.
Background
Exchange Server has been a prime target for attackers over the past years. Notable incidents include the ProxyLogon (CVE-2021-26855) and ProxyShell vulnerabilities, which were widely exploited by ransomware groups and state-sponsored actors.
“The pattern is worrying: Microsoft’s Exchange products continue to be a high-value attack surface,” commented James Turner, VP of Products at SecureMail. “Each zero-day reinforces the need for defense-in-depth and faster patching cycles.”
The discovery of this zero-day was reported by researchers at ZeroDay Initiative and confirmed by Microsoft’s Security Response Center (MSRC).
What This Means
Organizations running Exchange Server should treat this as a critical incident. The mitigations are a stopgap; a permanent fix is expected to arrive in the December security update.
Until then, companies must monitor logs for suspicious ECP activity and segment Exchange servers from other internal systems. Failure to act could result in compromised email communications and regulatory penalties.
Next Steps for IT Teams
- Apply Microsoft’s official mitigations immediately.
- Check for signs of compromise using the Exchange Health Checker script.
- Enable multi-factor authentication for all administrative accounts.
Microsoft’s advisory can be found here. Stay tuned for updates as the story develops.
Related Articles
- How to Prioritize and Apply Microsoft’s March 2026 Patch Tuesday Updates
- Foxconn Cyberattack: Q&A on the Ransomware Incident Affecting North American Factories
- Autonomous AI EDR Neutralizes CPU-Z Watering Hole Attack: SentinelOne's Proactive Defense
- Defending German Infrastructure: A Guide to Mitigating the 2025 Surge in Cyber Extortion
- April 2026 Patch Tuesday: Critical Updates for SharePoint, Windows Defender, Chrome, and Adobe
- Shadow AI Apps Expose Sensitive Data at Scale: 380,000 Vibe-Coded Assets Found Publicly Accessible
- Weekly Cyber Threat Roundup: May 4th Edition
- Ex-Ransomware Negotiators Sentenced to Four Years for Role in BlackCat Attacks