Microsoft Exchange Zero-Day: No Patch, Active Exploitation, Major Risk

Microsoft Exchange Zero-Day: No Patch, Active Exploitation, Major Risk

From IT SPARC Cast by John Barger

May 22, 2026 · 10 min · Season 2 · Episode 37

About this episode

The episode discusses a critical Microsoft Exchange vulnerability that is actively being exploited, detailing its impacts and mitigation strategies.

A newly disclosed Microsoft Exchange vulnerability is actively being exploited in the wild, and there’s still no permanent patch available. In this episode of IT SPARC Cast – CVE of the Week, John and Lou break down CVE-2026-42897, explain how attackers can exploit Outlook Web Access through malicious emails, and discuss why temporary mitigations may not be enough for organizations still running on-prem Exchange. ⸻ 📄 Show Notes 🚨 CVE of the Week: Microsoft Exchange / Outlook Web Access Exploit This week’s episode focuses on CVE-2026-42897 , a high-severity vulnerability affecting: Microsoft Exchange Server 2016 Microsoft Exchange Server 2019 Exchange Subscription Edition The vulnerability is a cross-site scripting (XSS) and spoofing flaw impacting Outlook Web Access (OWA) . ⸻ ⚠️ How the Attack Works Attackers send specially crafted emails that execute malicious JavaScript when opened through Outlook Web Access. Potential impacts include: Session hijacking Browser-based code execution Exchange session theft Spoofing attacks The vulnerability is already being actively exploited in the wild. ⸻ 🌐 Who Is Affected? This impacts on-prem Exchange deployments only . Cloud-hosted…

People in this episode

Host: John Barger

Guest: Lou

Topics covered

  • Microsoft Exchange vulnerability
  • cybersecurity
  • malicious emails
  • temporary mitigations
  • cross-site scripting
  • session hijacking

Keywords

  • Microsoft Exchange
  • CVE-2026-42897
  • Outlook Web Access
  • XSS vulnerability
  • malicious JavaScript
  • session theft
  • spoofing attacks

Mentioned in this episode

Organizations: Microsoft

Products: Microsoft Exchange Server 2016, Microsoft Exchange Server 2019, Exchange Subscription Edition

More episodes of IT SPARC Cast

Explore listener stats, chart rankings, contacts and more on the IT SPARC Cast podcast page.