Microsoft Exchange CVE-2026-42897: Active Exploit Warning

France's national cybersecurity agency, CERT-FR (part of ANSSI), published advisory CERTFR-2026-AVI-0599 on 15 May 2026, warning of a vulnerability in Microsoft Exchange Server that is actively being exploited.

What is the vulnerability?

According to CERT-FR, the vulnerability tracked as CVE-2026-42897 allows an attacker to carry out remote indirect code injection (also known as cross-site scripting, or XSS) and to bypass security policies within Microsoft Exchange Server. Microsoft itself has confirmed that this vulnerability is being actively exploited in the wild.

In plain terms: if your business uses Microsoft Exchange Server to handle email, there is a known security weakness that attackers are already taking advantage of. This is not a theoretical risk.

What should you do?

According to the CERT-FR advisory, users and administrators should apply the patches provided in Microsoft's security bulletin for CVE-2026-42897, dated 14 May 2026. CERT-FR directs organisations to consult that bulletin directly for the relevant fixes.

If you manage your own email server, or if your IT provider does, the immediate step is to check whether your Exchange Server installation has been updated with the patches from Microsoft's security bulletin. If you are unsure who manages your email infrastructure, now is a good time to ask.

For broader guidance on keeping your business systems secure, see our security checklist for small businesses.

A note on email security more broadly

Many small businesses rely on hosted email services rather than running their own Exchange Server. If that is your situation, your provider is likely responsible for applying patches on your behalf. Even so, it is worth confirming this with them, particularly when a vulnerability is confirmed as actively exploited.

If your website relies on plugins or third-party software, similar patching principles apply. Our guide on vulnerable plugins covers what to look out for.

What does this mean for your website?

If your business uses Microsoft Exchange Server for email, you should check with your IT support that the latest security patches have been applied as a matter of priority. A compromised email server can expose customer data and damage trust in your business. Staying on top of software updates is one of the most straightforward steps you can take to protect your customers and your reputation.