The standout in Microsoft’s June 2026 Patch Tuesday is the fix for CVE-2026-42897 — a critical flaw in on-premises Exchange Server that’s already being exploited in the wild, as reported by Help Net Security. It’s a cross-site scripting bug: an attacker sends a specially crafted email, and if the recipient opens it in Outlook Web Access, malicious code can run in their browser. Microsoft 365 (Exchange Online) isn’t affected — this is strictly an on-premises problem.

Who’s affected

The flaw hits Exchange Server Subscription Edition, 2019 and 2016. Plenty of Australian businesses still run on-premises or hybrid Exchange, and a foothold in your mail server is about as bad as it gets — it’s the front door to every conversation, attachment and password reset in the business. The same release also bundles the rest of this month’s fixes, including a SharePoint Server remote-code-execution bug (CVE-2026-45659) and the usual Windows, Office and browser updates, flagged in Help Net Security’s June forecast.

What to do now

Don’t wait for the patch to act. The Exchange flaw has an interim mitigation built in: confirm the Exchange Emergency Mitigation Service is switched on — it’s enabled by default and applies Microsoft’s protection automatically. Then, as soon as the June updates are available, roll them out across your fleet and put any on-premises Exchange servers at the top of the list. And check that Windows, Office, Chrome and Firefox updates are actually reaching every device — not just the ones people remember to restart.

Not sure whether your Exchange setup or your patching is covered? That’s exactly what a managed provider should be on top of — see how our cybersecurity team handles patching and monitoring.