Microsoft Exchange: Zero-day vulnerability is being attacked | heise online
heise+ entdecken
SuchenAbo
Suchen
Alle Magazine im Browser lesen<br>Newsletter<br>heise-Bot<br>Push-Nachrichten
${lead}
${lead}
${content}
${content}
${content}
${content}
Advertisement
Advertisement
Microsoft is warning of a zero-day security vulnerability in Exchange that is already being attacked in the wild. Updated software is not yet available. However, Microsoft is offering countermeasures that admins should implement as quickly as possible.
Continue after ad
In the vulnerability description, Microsoft explains that it involves insufficient input filtering during website generation, a cross-site scripting vulnerability. This allows unauthenticated attackers from the network to execute spoofing attacks (CVE-2026-42897, CVSS 8.1 , Risk "high "). However, Microsoft classifies the severity as "critical ". A blog post by Microsoft's Exchange team explains this and the countermeasures in more detail.
Attack Scenario
The vulnerability apparently affects Outlook Web Access (OWA) specifically. Microsoft states that attackers can send manipulated emails to victims. If users open the email in OWA and certain, unspecified interaction conditions are met, arbitrary JavaScript is then executed in the browser.
Exchange Server 2016, 2019, and Exchange Server Subscription Edition (SE), in any update level, are affected. However, Microsoft is not providing software updates. An automatic fix is available via the Exchange Emergency Mitigation (EM) Service. Where the service is active, Microsoft has already applied the countermeasures. The service has been distributed since September 2021 and is enabled by default. The blog post also shows a manual variant.
The countermeasures to contain the CVE-2026-42897 vulnerability have some side effects that admins should be aware of. Printing calendars in OWA may no longer work. Inline images will no longer be displayed correctly in the recipient panel. OWA Light may no longer function properly – however, this is already obsolete and "deprecated" anyway. The countermeasure also shows in the mitigation details that it is invalid for the current Exchange version – purely cosmetic, the Redmond company assures. If "Applied" is displayed as the status, it has been effectively applied.
Videos by heise
mehr Videos
c't 3003
heise & ct
Peertube
The Exchange team is meanwhile working on a permanent, proper fix. This will be released in the future as an update for Exchange SE RTM, Exchange 2016 CU23, and Exchange Server 2019 CU14 and CU15. However, those using Exchange 2016 or 2019 must have subscribed to the second stage of Extended Security Updates (ESU). Further details on the Emergency Mitigation Service are provided by Microsoft on its own website.
Continue after ad
(dmk)
Don't miss any news – follow us on<br>Facebook,<br>LinkedIn or<br>Mastodon.
This article was originally published in
German.
It was translated with technical assistance and editorially reviewed before publication.
Dieser Link ist leider nicht mehr gültig.
Links zu verschenkten Artikeln werden ungültig,<br>wenn diese älter als 7 Tage sind oder zu oft aufgerufen wurden.
Sie benötigen ein heise+ Paket, um diesen Artikel zu lesen. Jetzt eine Woche unverbindlich testen – ohne Verpflichtung!
Wochenpass bestellen
Sie haben heise+ bereits abonniert?
Hier anmelden.
Oder benötigen Sie
mehr Informationen zum heise+ Abo
Anzeige
Advertisement
E-Mail-Fehlversand und Datenabfluss verhindern
Datenaustausch: Schluss mit dem „Flickenteppich“
Themenspecial: Secure IT für Unternehmen
Themenspecial: Digitale Souveränität
Kosten sparen bei Google Shopping
Agentic AI und Security: Fortschritt oder Hype?
Überprivilegierte Agenten – ein neues KI-Risiko
In wenigen Schritten zur eigenen KI
Digitale Kunst – stromsparend und blendfrei
Wo Uli Hoeneß auf Dunja Hayali trifft
Shortlink:
https://heise.de/-11295808
Advertisement
Advertisement
Newsletter
heise-Bot
heise-Bot
Push Nachrichten
Push
Push-Nachrichten
kopieren