The Zero-Day That Was Already Being Used
Microsoft patched CVE-2026-42897 in the June 2026 Patch Tuesday update — an actively exploited zero-day vulnerability in Microsoft Exchange Server. The vulnerability involves spoofing and cross-site scripting, affecting Exchange Server Subscription Edition, Exchange Server 2016, and Exchange Server 2019. It was being exploited in the wild before the patch was available.
Exchange Server zero-days are not new. ProxyLogon (2021), ProxyShell (2021), ProxyNotShell (2022), and now CVE-2026-42897 (2026). The pattern repeats because the architecture persists: on-premise mail servers with complex web interfaces, deep Active Directory integration, and broad network access. Each zero-day is a reminder that on-premise Exchange is critical infrastructure with an attack surface that nation-states and cybercriminals both target.
The Web Surface of Email Infrastructure
Exchange Server's web interface — Outlook Web Access, Exchange Admin Center, Exchange Web Services — is a web application running on IIS. It serves HTML, processes JavaScript, handles authentication, and manages sessions. Every web vulnerability class applies: XSS, SSRF, deserialization, authentication bypass. Exchange is both an email server and a web application, and it inherits the security challenges of both.
Organizations running on-premise Exchange alongside WordPress-powered websites face compounded legacy risk. Both are server-side applications with broad attack surfaces, both require constant patching, and both have active threat actor communities dedicated to finding and exploiting their vulnerabilities. The legacy web infrastructure problem extends beyond the website itself.
The Migration Path
Microsoft's own recommendation for Exchange customers is migration to Exchange Online (Microsoft 365). The cloud-hosted version eliminates the on-premise attack surface — no IIS web server to exploit, no local Active Directory integration to pivot through, no zero-day window between exploitation and patch deployment.
The parallel to web framework migration is direct. On-premise Exchange is to Exchange Online what WordPress is to a modern headless CMS. The legacy version provides maximum control and maximum attack surface. The modern version provides managed security and reduced operational burden. The zero-days keep coming for the legacy version because the architecture that produces them has not changed since 2016.
