Microsoft Zero-Days: Defender & Exchange Exploited In-The-Wild

A critical cross-site scripting (XSS) vulnerability in Microsoft Exchange's Outlook Web Access (OWA), identified as CVE-2026-42897, was disclosed on May 18, 2026, and added to CISA's Known Exploited Vulnerabilities (KEV) catalog just one day later. This active exploitation of a zero-day flaw affects on-premise Exchange Server deployments, while Microsoft has also confirmed active exploitation of a privilege escalation flaw (CVE-2026-41091) and a denial-of-service bug (CVE-2026-45498) in Microsoft Defender.

What Happened

On May 18, 2026, Microsoft disclosed CVE-2026-42897, an actively exploited zero-day XSS vulnerability affecting on-premise Exchange Server Outlook Web Access (OWA) versions, for which a patch was not immediately available. Just a day later, on May 19, 2026, CISA added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing its critical and immediate threat status per CISA's advisory.

Then, on May 21, 2026, Microsoft warned about two more actively exploited zero-days, this time in Microsoft Defender. These were identified as CVE-2026-41091, a privilege escalation flaw, and CVE-2026-45498, a denial-of-service vulnerability. Microsoft began rolling out security patches for these Defender flaws on the same day, stating that systems configured for automatic updates of malware definitions and the Windows Defender Antimalware Platform should receive the fixes without manual intervention.

Why It Matters

The widespread adoption of Microsoft Defender and on-premise Exchange Server means these zero-days pose a potentially vast and immediate risk to enterprises globally. CVE-2026-42897 in Exchange OWA is particularly concerning because its exploitation could grant attackers access to a victim's Outlook mailbox and associated session tokens, as warned by the Centre for Cybersecurity Belgium (CCB). The Centre for Cybersecurity Belgium (CCB) stated that an attacker could read emails, modify settings, or potentially pivot further into the network, but Microsoft has not confirmed these specific outcomes.

CISA's addition of CVE-2026-42897 to its KEV catalog means organizations running unpatched Exchange Server 2016, 2019, or Subscription Edition (SE) are immediate targets for active attacks. Additionally, the privilege escalation flaw CVE-2026-41091 in Defender, which enables local attackers to achieve SYSTEM privileges, is a critical stepping stone for lateral movement or deeper system compromise. Solutions like CrowdStrike Falcon or SentinelOne can detect anomalous activity even when underlying vulnerabilities are exploited, providing an additional layer of defense. The DoS flaw, while less severe at a CVSS of 4.0, can still disrupt operations, making systems unavailable.

Technical Breakdown

CVE-2026-41091: Microsoft Defender Privilege Escalation
This flaw, rated 7.8 CVSS (High), resides in the Microsoft Malware Protection Engine (versions 1.1.26030.3008 and earlier). It's a "link following" vulnerability, meaning it relates to improper link resolution before file access. An authenticated attacker can exploit this locally to elevate privileges to SYSTEM. The flaw tricks a privileged process into acting on a resource it shouldn’t, granting the attacker elevated permissions. This maps directly to T1068 Exploitation for Privilege Escalation in the MITRE ATT&CK framework. Review your AC-6 Least Privilege controls, ensuring that services and applications run with the minimum necessary permissions, reducing the impact if such a flaw is exploited.

CVE-2026-45498: Microsoft Defender Denial-of-Service
This medium-severity flaw (CVSS 4.0) affects Microsoft Defender Antimalware Platform versions 4.18.26030.3011 and earlier. Successful exploitation can trigger a denial-of-service state on unpatched Windows devices. While less directly impactful than privilege escalation, a DoS can still halt critical operations, especially in environments reliant on Defender for frontline protection.

CVE-2026-42897: Microsoft Exchange Server Spoofing/XSS
This is an XSS vulnerability in Exchange Outlook Web Access (OWA), with Microsoft assigning it a CVSS of 8.1 (High) while NIST's National Vulnerability Database lists it as 6.1 (Medium). Attackers can send a specially crafted email. If a user opens this email in OWA and certain interaction conditions are met, arbitrary JavaScript can execute within their browser context. The group claims this could allow attackers to steal session tokens, access mailbox contents, or manipulate settings, but Microsoft has not confirmed these specific claims. This attack vector aligns with T1203 Exploitation for Client Execution, as the XSS payload is executed within the client's browser. To prevent such client-side exploits, implement SI-10 Information Input Validation, ensuring all user-supplied data is properly sanitized before being rendered in a web application.

Historical Context

Microsoft Exchange Server has a notorious history of critical vulnerabilities and widespread exploitation, often by sophisticated threat actors. For example, the China-linked Hafnium group exploited a series of zero-day vulnerabilities (e.g., ProxyLogon, ProxyShell) in early 2021. These allowed for remote code execution (RCE) and extensive data theft from Exchange servers globally, impacting tens of thousands of organizations within days of disclosure. The current CVE-2026-42897 XSS flaw in Exchange OWA is also a zero-day actively exploited against a widely used, internet-facing Microsoft product. While the impact of an OWA XSS differs from RCE on the server itself, compromising OWA users' mailboxes can still lead to significant data exposure and further internal compromise. This pattern reinforces the critical need for constant vigilance and prompt patching of Exchange infrastructure, as previous campaigns demonstrated sensitive information theft on a massive scale.

Data at a Glance

Our Take

We're seeing a familiar, frustrating pattern here: actively exploited zero-days hitting core Microsoft platforms. The fact that the Exchange OWA flaw went public without an immediate patch, only to land in CISA's KEV catalog a day later, is a strong signal for immediate attention. Defender vulnerabilities are equally concerning; privilege escalation is a prime entry point for attackers to move from a foothold to deeper control. Organizations can't just rely on automatic updates; verifying their deployment and actively monitoring for suspicious activity is non-negotiable right now. Patching is always step one, but continuous verification and a strong EDR solution are the actual defenses against these types of rapid, in-the-wild exploitations.

The CVEDaily Take

Microsoft has released patches for the Defender vulnerabilities, yet the Exchange OWA flaw has no immediate fix. This disparity suggests that, despite the consistent pattern of zero-day exploitation, Microsoft's response timeline remains inconsistent across its product lines. The Exchange disclosure without an available patch puts a heavy burden on IT teams, forcing them to implement workarounds while exposed. Given this string of zero-days and the lack of an immediate Exchange patch, how are you hardening your OWA instances and monitoring Defender update cycles to ensure compliance?

FAQ

Q1: What's the immediate risk if we're running Exchange Server 2016, 2019, or Subscription Edition with OWA exposed?
A1: Your immediate risk is that attackers can send specially crafted emails that, if opened in OWA under specific conditions, execute arbitrary JavaScript in the user's browser. The group claims this could lead to session token theft, unauthorized mailbox access, or modifications to email content, potentially compromising sensitive communications and user identities, though Microsoft has not confirmed these specific claims.

Q2: How do we confirm our Defender systems are patched for CVE-2026-41091 and CVE-2026-45498?
A2: For CVE-2026-41091, verify your Microsoft Malware Protection Engine version is newer than 1.1.26030.3008. For CVE-2026-45498, check your Microsoft Defender Antimalware Platform version is newer than 4.18.26030.3011. You can usually find these versions in the Defender UI or through PowerShell commands like Get-MpComputerStatus or by checking Windows Update history.

Q3: What's the primary attack vector for the Exchange OWA XSS (CVE-2026-42897)?
A3: The primary attack vector for CVE-2026-42897 is a specially crafted email. An attacker sends an email containing malicious JavaScript to a target. If the target opens this email in Outlook Web Access (OWA) and specific user interaction conditions are met (which Microsoft has not fully detailed), the JavaScript executes within the user's browser context, initiating the attack.