Microsoft has issued a warning about a zero-day security vulnerability in Exchange that is currently being exploited. Although no updated software is available yet, Microsoft advises administrators to quickly implement recommended countermeasures. The vulnerability involves insufficient input filtering during website generation, leading to a cross-site scripting issue that allows unauthenticated network attackers to execute spoofing attacks. This affects Outlook Web Access, where manipulated emails can trigger arbitrary JavaScript execution under certain conditions. Affected systems include Exchange Server 2016, 2019, and the Subscription Edition, regardless of update level. While no software updates are provided, the Exchange Emergency Mitigation Service offers an automatic fix. This service, active since September 2021, has already applied countermeasures where enabled. However, these measures may impact certain functionalities such as calendar printing and inline image display in OWA. Microsoft is working on a permanent solution, which will be available in future updates for specific Exchange versions, requiring Extended Security Updates subscriptions for some.
Is a zero-day vulnerability in Microsoft Exchange under attack?
