Exchange Server zero-day exploitation for email delivery
Key Questions
What vulnerabilities are being exploited in Exchange Server attacks?
Active exploitation targets CVE-2026-42897, an XSS flaw in Outlook Web Access triggered by a single crafted email that enables spoofing without attachments, and CVE-2026-6973, which provides remote code execution capabilities.
What actions has CISA taken regarding these vulnerabilities?
CISA has added the vulnerabilities to the Known Exploited Vulnerabilities catalog and set federal patch deadlines to address the ongoing exploitation against on-premises finance organizations.
How do these zero-days facilitate further compromise?
The initial phishing email leads to post-exploitation privilege escalation on Exchange servers, allowing attackers to gain deeper access within targeted environments after the spoofed message is opened.
Active exploitation of CVE-2026-42897 (XSS triggered by single crafted email in OWA enabling spoofing without attachments) and CVE-2026-6973 RCE. CISA KEV addition with federal patch deadlines; post-phish privilege escalation for on-prem finance orgs.