Microsoft Exchange Active 0-Day Exploit—Enable Emergency Mitigation Now

InnovationCybersecurityMicrosoft Exchange Active 0-Day Exploit—Enable Emergency Mitigation NowByDavey Winder,Senior Contributor.Forbes contributors publish independent expert analyses and insights. Davey Winder is a veteran cybersecurity writer, hacker and analyst.Follow AuthorMay 16, 2026, 12:47pm EDT--:-- / --:--This voice experience is generated by AI. Learn more.This voice experience is generated by AI. Learn more.Microsoft confirms Exchange zero-day, CISA warns it's under active exploitation.gettyIt’s been something of a rough few days for Microsoft Exchange on the security vulnerability front. A zero-day being demonstrated at the Pwn2Own Berlin hacking event, which has been responsibly disclosed and not released into the wild. Definitely already out there, and under active exploitation according to the U.S. Cybersecurity and Infrastructure Security Agency, another Exchange zero-day, confirmed by Microsoft on May 14. CISA added the CVE-2026-42897 vulnerability to its Known Exploited Vulnerabilities Catalog on May 15, urging all organizations to prioritize timely remediation as the attack vector poses a significant risk. Here’s what you need to know.ForbesMicrosoft Windows Alert—Angry Hacker Drops 2 New Zero-Day ExploitsBy Davey WinderThe Microsoft Exchange CVE-2026-42897 Zero-Day ExplainedMicrosoft disclosed CVE-2026-42897 on May 14, describing the zero-day as a Microsoft Exchange Server spoofing vulnerability. Technically speaking, the vulnerability occurs when an improper neutralization of input during web page generation, or a cross-site scripting attack if you prefer, enables an attacker to perform spoofing over the network. All it takes to exploit this is to send a maliciously crafted email, which, when opened in Outlook Web Access, can execute arbitrary JavaScript in the context of the browser."The disclosure of CVE-2026-42897 is a reminder that on-premises Exchange remains the most targeted piece of real estate in the enterprise stack,” Damon S...