Microsoft Exchange Active 0-Day Exploit—Enable Emergency Mitigation Now

It’s been something of a rough few days for Microsoft Exchange on the security vulnerability front. A zero-day being demonstrated at the Pwn2Own Berlin hacking event, which has been responsibly disclosed and not released into the wild. Definitely already out there, and under active exploitation according to the U.S. Cybersecurity and Infrastructure Security Agency, another Exchange zero-day, confirmed by Microsoft on May 14. CISA added the CVE-2026-42897 vulnerability to its Known Exploited Vulnerabilities Catalog on May 15, urging all organizations to prioritize timely remediation as the attack vector poses a significant risk. Here’s what you need to know.

ForbesMicrosoft Windows Alert—Angry Hacker Drops 2 New Zero-Day ExploitsBy Davey Winder