Microsoft Exchange Zero-Day Under Attack, No Patch Available

Monday, May 18, 2026 at 09:43 PM UTC·Source: Dark Reading

Updated: Monday, May 18, 2026 at 10:00 PM UTC

Executive Summary

CVE-2026-42897 stems from a cross-site scripting (XSS) vulnerability and can allow an attacker to compromise Outlook Web Access (OWA) mailboxes.

Analysis

CVE-2026-42897 stems from a cross-site scripting (XSS) vulnerability and can allow an attacker to compromise Outlook Web Access (OWA) mailboxes.

Indicators of Compromise (1)

CVE (1)

CVE-2026-42897

NVD MITRE CVE

Source Attribution

Originally published by Dark Reading on May 18, 2026.

Related Threats

CRITICALZero Day

Windows Zero-Day Barrage Continues After Patch Tuesday

YellowKey, GreenPlasma, and MiniPlasma add to the growing list of vulnerabilities a security researcher disclosed over the past six weeks.

7h agoDark Reading

CRITICALZero Day

Huawei zero-day attack behind last year’s crash of Luxembourg's entire telecoms network

There is no evidence that the incident has recurred, but the flaw remains unexplained and has not been publicly acknowledged by the company.

8h agoThe Record

MEDIUMZero Day

⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More

Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted. The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production

1d agoThe Hacker News