Microsoft Patches Exploited Exchange Server Vulnerability

Microsoft has released Patch Tuesday updates to address an Exchange Server vulnerability that is already being exploited in the wild, tracked as CVE-2026-42897. The flaw affects Exchange Server Subscription Edition, 2016, and 2019, and could be triggered via a specially crafted email leading to spoofing and cross-site scripting that allows JavaScript execution in a victim’s browser context. CISA added CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) catalog, requiring remediation by May 29, underscoring the urgency for organizations using affected Exchange deployments to apply the June 9 patches.