CERTFR-2026-ALE-005

Vulnerability from certfr_alerte - Published: 2026-05-15 - Updated: 2026-05-15

Le 14 mai 2026, Microsoft a publié un avis de sécurité concernant la vulnérabilité CVE-2026-42897 affectant Exchange Server. Elle permet à un attaquant non authentifié de provoquer une injection de code indirecte à distance (XSS) et un contournement de la politique de sécurité lorsqu'un utilisateur ouvre un courriel piégé dans Outlook Web Access.

Microsoft indique que la vulnérabilité CVE-2026-42897 est activement exploitée.

Contournement provisoire

Le service de contournement d'urgence pour Exchange (Exchange Emergency Mitigation Service) [1] est activé par défaut et fonctionne automatiquement. Pour les environnements déconnectés, l'éditeur a mis à disposition un billet de blogue [2] détaillant une procédure pour appliquer le contournement provisoire.

Solutions

Microsoft a annoncé qu'un correctif sera publié prochainement. Le CERT-FR recommande de consulter régulièrement les annonces de l'éditeur pour la mise à disposition des correctifs.

Impacted products
Vendor Product Description
Microsoft Exchange Server 2019 Cumulative Update 15 Microsoft Exchange Server 2019 Cumulative Update 15
Microsoft Exchange Server Subscription Edition RTM Microsoft Exchange Server Subscription Edition RTM
Microsoft Exchange Server 2019 Cumulative Update 14 Microsoft Exchange Server 2019 Cumulative Update 14
Microsoft Exchange Server 2016 Cumulative Update 23 Microsoft Exchange Server 2016 Cumulative Update 23
References

Show details on source website
To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Microsoft Exchange Server 2019 Cumulative Update 15",
      "product": {
        "name": "Exchange Server 2019 Cumulative Update 15",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Exchange Server Subscription Edition RTM",
      "product": {
        "name": "Exchange Server Subscription Edition RTM",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Exchange Server 2019 Cumulative Update 14",
      "product": {
        "name": "Exchange Server 2019 Cumulative Update 14",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Exchange Server 2016 Cumulative Update 23",
      "product": {
        "name": "Exchange Server 2016 Cumulative Update 23",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "closed_at": null,
  "content": "## Contournement provisoire\n\nLe service de contournement d\u0027urgence pour Exchange (*Exchange Emergency Mitigation Service*) [1] est activ\u00e9 par d\u00e9faut et fonctionne automatiquement. Pour les environnements d\u00e9connect\u00e9s, l\u0027\u00e9diteur a mis \u00e0 disposition un billet de blogue [2] d\u00e9taillant une proc\u00e9dure pour appliquer le contournement provisoire.\n\n## Solutions\nMicrosoft a annonc\u00e9 qu\u0027un correctif sera publi\u00e9 prochainement.\nLe CERT-FR recommande de consulter r\u00e9guli\u00e8rement les annonces de l\u0027\u00e9diteur pour la mise \u00e0 disposition des correctifs.",
  "cves": [
    {
      "name": "CVE-2026-42897",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-42897"
    }
  ],
  "initial_release_date": "2026-05-15T00:00:00",
  "last_revision_date": "2026-05-15T00:00:00",
  "links": [
    {
      "title": "Compromission d\u0027un compte de messagerie - Qualification",
      "url": "https://www.cert.ssi.gouv.fr/fiche/CERTFR-2024-RFX-003/"
    },
    {
      "title": "Compromission d\u0027un compte de messagerie - Endiguement",
      "url": "https://www.cert.ssi.gouv.fr/fiche/CERTFR-2024-RFX-004/"
    },
    {
      "title": "[1] Service de contournement d\u0027urgence pour Exchange",
      "url": "https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-emergency-mitigation-service"
    },
    {
      "title": "[2] Billet de blogue de l\u0027\u00e9quipe Exchange",
      "url": "https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498"
    },
    {
      "title": "Avis CERT-FR CERTFR-2026-AVI-0599 du 15 mai 2026",
      "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0599/"
    }
  ],
  "reference": "CERTFR-2026-ALE-005",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2026-05-15T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Le 14 mai 2026, Microsoft a publi\u00e9 un avis de s\u00e9curit\u00e9 concernant la vuln\u00e9rabilit\u00e9 CVE-2026-42897 affectant Exchange Server. Elle permet \u00e0 un attaquant non authentifi\u00e9 de provoquer une injection de code indirecte \u00e0 distance (XSS) et un contournement de la politique de s\u00e9curit\u00e9 lorsqu\u0027un utilisateur ouvre un courriel pi\u00e9g\u00e9 dans Outlook Web Access.\n\nMicrosoft indique que la vuln\u00e9rabilit\u00e9 CVE-2026-42897 est activement exploit\u00e9e.",
  "title": "Vuln\u00e9rabilit\u00e9 dans Microsoft Exchange Server",
  "vendor_advisories": [
    {
      "published_at": "2026-05-14",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-42897",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.