A high-severity Microsoft Exchange zero-day, CVE-2026-42897, is being actively exploited — and if you still run Exchange on your own server, you’re exposed. As reported by BleepingComputer, an attacker simply sends a specially crafted email; when a staff member opens it in Outlook Web Access, malicious JavaScript runs in their browser — no password and no dodgy attachment required. Microsoft shipped a fix in its June security updates, and the bug now sits on CISA’s known-exploited vulnerabilities list.

Who’s exposed

This hits Exchange Server 2016, 2019 and the newer Subscription Edition. Here’s the trap: Exchange 2016 and 2019 are past end of support, so the patch only reaches you if you’re enrolled in Microsoft’s Extended Security Updates (ESU) program. Plenty of Australian businesses still run an on-prem Exchange box quietly humming away in a cupboard and assume it’s keeping itself current. It isn’t.

What to do now

If you run Exchange on-premises, install the June 2026 security update today and leave Microsoft’s Emergency Mitigation Service switched on. If you’re on 2016 or 2019 without ESU, the fix won’t reach you at all — treat that as your cue to fast-track a move to Microsoft 365 and Exchange Online, where this class of server-side bug stops being your problem. Not sure what you’re running? Ask your IT provider exactly which Exchange version you’re on and when it was last patched.