Tag: CVE-2026-42897

  • Microsoft June 2026 Patch Tuesday: High Stakes & Hidden Features

    Microsoft June 2026 Patch Tuesday: High Stakes & Hidden Features

    Key Takeaway

    – June 2026 Patch Tuesday is a critical compliance milestone due to June 24 expiration of legacy UEFI Secure Boot certificates.
    – Unpatched devices will lose the ability to receive future boot security updates, including Windows Boot Manager and revocation list updates.
    – CVE-2026-42897, a high-severity XSS vulnerability in Outlook Web Access for on-premises Exchange, is now permanently patched.
    – Major Windows 11 features include NPU monitoring in Task Manager, Shared Audio via Bluetooth LE, and Multi-App Camera support.
    – Users can now set custom local user folder names during clean Windows 11 installations.

    Rollout of June 2026 Security Bundle Begins

    Microsoft has officially begun rolling out its June 2026 Patch Tuesday update bundle, turning a routine monthly security deployment into an essential compliance milestone for enterprise networks. Because legacy 2011-era Third-Party UEFI Secure Boot certificates begin their scheduled expiration cycle on June 24, IT departments are using this update window to finalize validation across their device fleets.

    New Features for Everyday Users

    While enterprise administrators are focused on long-term boot compliance, everyday Windows 11 users will receive a collection of new, officially documented features. Rather than holding quality-of-life upgrades back for a traditional annual operating system version milestone, Microsoft is using this mandatory quality update to deliver sweeping platform improvements to general system performance, hardware diagnostics, and peripheral management.

    Critical Checkpoint for Corporate Environments

    For corporate environments, the June 9 rollout represents a critical checkpoint in a multi-stage infrastructure transition. According to official Microsoft lifecycle documentation, devices that do not migrate to the newer Windows UEFI CA 2023 certificates ahead of the summer expiration timeline will continue to boot and operate normally under standard conditions. However, Microsoft warns that these non-updated endpoints will lose the ability to receive new security protections for the early boot process, effectively halting future updates to the Windows Boot Manager, Secure Boot databases, and critical vulnerability revocation lists.

    Security Vulnerability and Patch Details

    On the security front, administrators are closely monitoring CVE-2026-42897, a high-profile cross-site scripting vulnerability affecting Outlook Web Access in on-premises Exchange Server deployments. With today’s security updates officially delivering the permanent patch to resolve this vulnerability, administrators can finally transition away from temporary blocks previously managed by the Exchange Emergency Mitigation Service. Today’s quality update bundle also addresses associated system bugs, including a fix for installation failures on devices with limited space of 10 MB or less on their EFI System Partition.

    Major Feature Updates for Performance

    Beyond security patches, the deployment introduces a series of major feature updates directly to the Windows 11 client ecosystem under the general performance umbrella. For core system performance, this update officially accelerates app launch behaviors and enhances responsiveness across core shell experiences, specifically targeting micro-stuttering within the Start menu, Search, and Action Center.

    Task Manager and NPU Monitoring

    To accommodate modern hardware requirements, Task Manager now provides significantly improved visibility into local AI workloads by introducing optional columns to actively track Neural Processing Unit utilization, active NPU engines, and dedicated or shared NPU memory allocations.

    Media Management and Sharing Upgrades

    Media management receives a substantial upgrade through the launch of the Shared Audio feature, which utilizes Bluetooth LE Audio broadcast technology to allow two individuals to listen to the same audio stream from a single Windows 11 PC simultaneously using separate connected devices. Capturing and streaming video is also more flexible with the introduction of the Multi-App Camera feature, allowing a single physical webcam feed to be shared across multiple communication applications at the same time alongside a new Basic Camera mode intended to simplify device troubleshooting.

    Custom User Folder Name Option

    Finally, addressing a long-standing infrastructure request, the updated Windows setup experience now allows users to choose an exact custom name for their local user folder directly on the Device Name page during clean system installations, cleanly bypassing automated account abbreviations.

    Global Rollout and Enterprise Monitoring

    The mandatory quality update is rolling out globally via Windows Update. Enterprise deployment teams are advised to monitor local system event logs for firmware completion markers to ensure complete fleet readiness ahead of the absolute June certificate cutoff.

    Systemic Pressure on Corporate Networks

    Beyond the routine security fixes and the critical firmware validation deadlines, today’s deployment cycle underscores the broader systemic pressure facing corporate defense networks. While these automated cumulative updates resolve several active operational exploits, the long-term fallout from recent uncoordinated disclosure waves remains an escalating challenge for enterprise administrators as they brace for the threatened mid-July mass disclosure drop by researcher “Nightmare Eclipse.”

    Sources
    Tags: , , , ,
  • Microsoft Exchange Server zero-day exploited via crafted email

    Microsoft Exchange Server zero-day exploited via crafted email

    Key Takeaway

    – CVE-2026-42897 is a zero-day cross-site scripting flaw in on-premises Exchange Server (not in Exchange Online) that allows arbitrary JavaScript execution via a crafted email and certain user interactions, with no authentication required.
    – Microsoft issued an emergency mitigation (EEMS) and CISA added the flaw to its Known Exploited Vulnerabilities catalog; remediation was mandated for federal agencies by May 29.
    – Mitigation has functional side effects: OWA Print Calendar and inline images may break; OWA Light becomes unusable; cosmetic status bugs can show “Mitigation invalid” despite proper application.

    Microsoft confirms active exploitation of CVE-2026-42897 in on-premises Exchange Server

    Microsoft confirmed active exploitation of CVE-2026-42897, a zero-day in on-premises Exchange Server that lets attackers execute arbitrary JavaScript in a victim’s browser by sending a crafted email. No permanent patch exists. Microsoft deployed an emergency mitigation on May 14, and CISA added the flaw to its Known Exploited Vulnerabilities catalog the following day, requiring federal agencies to remediate by May 29. Exchange Online is not affected.

    What the flaw does and who is affected

    CVE-2026-42897 is a cross-site scripting flaw in the Outlook Web Access component of on-premises Microsoft Exchange Server, rated CVSS 8.1. An attacker sends a specially crafted email to a target. When the recipient opens it in OWA under certain interaction conditions, arbitrary JavaScript executes inside the browser session.

    Microsoft classifies the vulnerability as a spoofing issue rooted in improper input neutralization during web page generation. The attack path does not require authentication or server access. It starts with an inbox.

    Scope and immediate actions

    The flaw hits on-prem Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition at any update level. Exchange Online is not vulnerable.

    On-prem Exchange sits at the center of corporate email for governments, financial institutions, and enterprises that have not moved to the cloud. CISA’s Known Exploited Vulnerabilities catalog lists nearly two dozen Exchange Server flaws already, and ransomware groups have abused several of them to breach targets. CVE-2026-42897 arrived just two days after May’s Patch Tuesday, which patched 120 vulnerabilities but disclosed no zero-days in its release notes.

    Mitigation steps taken by Microsoft

    Microsoft deployed a temporary fix through its Exchange Emergency Mitigation Service, labeled M2.1.x. The EEMS applies the mitigation automatically via URL rewrite configuration on Exchange Mailbox servers where the service is enabled by default. Administrators can verify status using the Exchange Health Checker script at aka.ms/ExchangeHealthChecker.

    For air-gapped or disconnected environments where EEMS cannot reach Microsoft’s servers, admins must manually download the latest Exchange On-premises Mitigation Tool and run it via an elevated Exchange Management Shell. The command targets a single server or can run across the full Exchange fleet at once.

    Potential cosmetic and functional impacts

    There is one cosmetic issue to be aware of. Some servers will show the mitigation status as “Mitigation invalid for this exchange version” in the description field. Microsoft confirms the fix is applied correctly in these cases if the status column reads “Applied”. The display text is a known cosmetic bug under investigation.

    Applying the fix has functional consequences. The OWA Print Calendar feature stops working after the mitigation applies. Inline images no longer display correctly in recipients’ reading panes inside Outlook Web Access.

    Interface changes and future fixes

    OWA Light, the legacy interface accessed via a URL ending in /?layout=light, also stops functioning after the mitigation applies. Microsoft deprecated the interface years ago and does not consider it production-ready, but organizations still using it will need to route users through the standard OWA URL instead.

    Microsoft is developing a permanent fix and has not confirmed a release timeline. When available, Exchange Server Subscription Edition will receive it through the standard update channel. Exchange Server 2016 and 2019 will only get the permanent patch through Microsoft’s Period 2 Extended Security Update program.

    Coordinated response and ongoing exposure

    Organizations running either older version without ESU enrollment will stay exposed until they apply the emergency mitigation manually. CISA added CVE-2026-42897 to the Known Exploited Vulnerabilities catalog on May 15 and requires Federal Civilian Executive Branch agencies to remediate by May 29. Microsoft has not identified the threat actors behind the active attacks or disclosed which organizations attackers targeted.

    The timing of CVE-2026-42897 sits at the other end of the vulnerability lifecycle from proactive discovery. Microsoft’s MDASH AI model recently identified 16 critical Windows flaws before attackers could reach them, a detection approach that CVE-2026-42897 bypassed entirely.

    Sources
    Tags: , , , ,