
Microsoft Exchange Zero-Day: No Patch, Active Exploitation, Major Risk
From IT SPARC Cast by John Barger
May 22, 2026 · 10 min · Season 2 · Episode 37
About this episode
The episode discusses a critical Microsoft Exchange vulnerability that is actively being exploited, detailing its impacts and mitigation strategies.
A newly disclosed Microsoft Exchange vulnerability is actively being exploited in the wild, and there’s still no permanent patch available. In this episode of IT SPARC Cast – CVE of the Week, John and Lou break down CVE-2026-42897, explain how attackers can exploit Outlook Web Access through malicious emails, and discuss why temporary mitigations may not be enough for organizations still running on-prem Exchange. ⸻ 📄 Show Notes 🚨 CVE of the Week: Microsoft Exchange / Outlook Web Access Exploit This week’s episode focuses on CVE-2026-42897 , a high-severity vulnerability affecting: Microsoft Exchange Server 2016 Microsoft Exchange Server 2019 Exchange Subscription Edition The vulnerability is a cross-site scripting (XSS) and spoofing flaw impacting Outlook Web Access (OWA) . ⸻ ⚠️ How the Attack Works Attackers send specially crafted emails that execute malicious JavaScript when opened through Outlook Web Access. Potential impacts include: Session hijacking Browser-based code execution Exchange session theft Spoofing attacks The vulnerability is already being actively exploited in the wild. ⸻ 🌐 Who Is Affected? This impacts on-prem Exchange deployments only . Cloud-hosted…
People in this episode
Host: John Barger
Guest: Lou
Topics covered
- Microsoft Exchange vulnerability
- cybersecurity
- malicious emails
- temporary mitigations
- cross-site scripting
- session hijacking
Keywords
- Microsoft Exchange
- CVE-2026-42897
- Outlook Web Access
- XSS vulnerability
- malicious JavaScript
- session theft
- spoofing attacks
Mentioned in this episode
Organizations: Microsoft
Products: Microsoft Exchange Server 2016, Microsoft Exchange Server 2019, Exchange Subscription Edition
More episodes of IT SPARC Cast
- One Character Broke Linux Security: CVE-2026-23111 Explained · June 12, 2026 · 11 min
- Microsoft vs Security Researchers | RTX Spark & Why Linux Won · June 8, 2026 · 24 min
- AI Finds a Redis Vulnerability Humans Missed for Two Years · June 5, 2026 · 9 min
- AI Needs Managers Now? | Smart Glasses Return & Mythos Finds 23,000 Bugs · June 1, 2026 · 22 min
- Underminr Explained: The CDN Attack That Hides Malware Behind Trusted Traffic · May 29, 2026 · 12 min
- AI Data Centers, Vibe-Coded Android Apps, and the Coming Security Flood · May 25, 2026 · 27 min
Explore listener stats, chart rankings, contacts and more on the IT SPARC Cast podcast page.