Microsoft Alternate Server customers are urged to right away mitigate a newly disclosed zero-day vulnerability that has been exploited in assaults.
Microsoft this week patched 137 vulnerabilities with its Patch Tuesday updates and the cybersecurity trade was stunned to see that the newest updates didn’t tackle any zero-days. Nevertheless, a zero-day was disclosed simply 48 hours later, on Could 14.
The Alternate zero-day, tracked as CVE-2026-42897, has been described as a spoofing and XSS challenge affecting Alternate Server Subscription Version, 2016, and 2019.
“Improper neutralization of enter throughout internet web page technology (‘cross-site scripting’) in Microsoft Alternate Server permits an unauthorized attacker to carry out spoofing over a community,” Microsoft mentioned in its advisory.
The corporate famous that the vulnerability impacts Alternate Outlook Net Entry (OWA) and an attacker can exploit it by sending a specifically crafted electronic mail to the focused person.
“If the person opens the e-mail in Outlook Net Entry and sure interplay situations are met, arbitrary JavaScript will be executed within the browser context,” Microsoft defined.
Till a everlasting patch is developed, Microsoft has shared a few mitigation choices.
Microsoft has not shared any data on the assaults exploiting CVE-2026-42897. information.killnetswitch has reached out to the corporate for clarification and can replace this text if it responds.
An nameless researcher has been credited for reporting the vulnerability.
It’s not unusual for risk actors to focus on Alternate Server vulnerabilities — CISA’s KEV catalog presently lists almost two dozen such flaws — however there don’t look like another stories of vulnerabilities found in 2025 and 2026 being exploited within the wild.
It’s value noting that CVE-2026-42897 has but to be added to CISA’s KEV checklist.
