Microsoft Exchange Is Being Actively Exploited Right Now. Is Your Business Exposed?
CISA added a Microsoft Exchange Server vulnerability to its Known Exploited Vulnerabilities catalogue this week. That is the US government’s confirmed list of flaws being actively used in real attacks. Not theoretical. Not proof-of-concept. Active exploitation, happening now.
At the same time, a critical NGINX vulnerability is being exploited in the wild. NGINX is the web server technology quietly running behind a significant portion of UK small business websites, hosting infrastructure, and online services.
Two confirmed active exploits. Both with patches available. Both relevant to UK businesses this week.
What Is Actually Happening: The Microsoft Exchange Flaw
CVE-2026-42897 is a vulnerability in Microsoft Exchange Server’s Outlook Web Access (OWA) component. OWA is the browser-based email interface that lets people access their company email from anywhere.
The flaw allows an attacker to inject and execute malicious JavaScript in the victim’s browser. In practice, that means session hijacking: an attacker can steal the authentication tokens that keep you logged in, effectively taking over your email account without needing your password.
No authentication is required to trigger this attack. An attacker can send a specially crafted request to an exposed Exchange server and begin the exploitation process without having any existing credentials.
CISA’s inclusion on the Known Exploited Vulnerabilities (KEV) catalogue is significant. CISA does not add vulnerabilities to the KEV list speculatively. Confirmed, observed exploitation in the wild is the threshold. This is not a vendor warning to patch eventually. It is a signal that attacks are underway.
Who does this affect? Businesses running on-premise Microsoft Exchange. If your organisation hosts its own email server rather than using cloud-hosted Microsoft 365, this is directly relevant. Many UK small businesses still run on-premise Exchange for cost reasons, legacy integration requirements, or because nobody has ever reviewed whether it is still the right approach.
Microsoft has released a patch. The only action that makes a material difference is applying it.
What Is Actually Happening: The NGINX Exploitation
CVE-2026-42945 is a heap buffer overflow vulnerability in NGINX’s HTTP rewrite module (ngx_http_rewrite_module). NGINX is a web server, reverse proxy, and load balancer running on tens of millions of servers globally.
The flaw allows an unauthenticated attacker to send a specially crafted HTTP request that causes a heap buffer overflow. The primary consequence is denial of service: your web server crashes. On systems where Address Space Layout Randomisation (ASLR) is disabled, the consequences are more severe. Remote code execution becomes possible, meaning an attacker can run arbitrary commands on your server.
Active exploitation has been confirmed in the wild. Researchers observed real-world attacks within days of public disclosure. This is the kind of speed that renders a patch-when-convenient approach meaningless.
If your business has a website, particularly one hosted on your own infrastructure or via a smaller hosting provider, NGINX is likely somewhere in the stack. The question to ask your hosting provider or IT support today is simple: has the NGINX patch for CVE-2026-42945 been applied?
If they cannot answer that question with certainty, that is itself diagnostic information about the quality of your IT support.
What This Week’s Intelligence Actually Tells Us
Strip away the technical detail and the pattern is familiar.
Two pieces of widely deployed infrastructure, both with known critical vulnerabilities, both under active exploitation. Both with patches that have been publicly available. The gap between patch availability and patch application is where attackers operate.
For UK small businesses, the specific risk profile here is worth stating plainly:
On Microsoft Exchange: If you are running on-premise Exchange and your IT support has not proactively contacted you this week about CVE-2026-42897, you have a support quality problem as well as a patching problem. CISA KEV additions are not obscure advisories. They are the clearest possible signal that a vulnerability requires immediate action.
On NGINX: Most small businesses do not directly manage their web infrastructure. They rely on a hosting provider or an MSP. That reliance is reasonable, but it requires accountability. Your provider should be able to confirm patch status in writing. If they cannot, or will not, that is a contractual and operational failure worth addressing.
The broader context from this week’s threat intelligence is also worth noting. Pwn2Own Berlin 2026 produced 47 unique zero-day vulnerabilities across three days. The Microsoft Exchange flaw featured in that research. This is not isolated. The vulnerability research community is actively identifying and weaponising flaws in the infrastructure that UK businesses depend on daily.
Separately, a CVSS 10.0 vulnerability (CVE-2026-42822) was published this week affecting Azure Local Disconnected Operations, allowing privilege escalation over a network without authentication. Businesses using Azure Local in disconnected or hybrid configurations should confirm with their IT provider whether this affects their deployment.
Why This Is a Competitive Advantage, Not Just a Risk Conversation
Organisations that patch promptly and maintain current infrastructure are, by definition, a harder target than those that do not. That is not a philosophical statement. It is operational fact.
For UK small businesses operating in supply chains, the reputational and contractual value of being able to demonstrate current patch status is increasing. Enterprise clients and public sector procurement increasingly include security hygiene requirements in supplier vetting. Being the business that had a confirmed-exploited Exchange vulnerability unpatched for two weeks is a liability. Being the business that patched within 24 hours of CISA confirmation is a differentiator.
If you hold Cyber Essentials certification, patch management is one of its five technical controls. Timely patching of critical vulnerabilities is a requirement, not a recommendation. An unpatched Exchange server with a KEV-listed vulnerability is a direct Cyber Essentials compliance failure.
How to Make the Case Internally
Three arguments for getting this prioritised:
The regulator’s catalogue says so. CISA’s Known Exploited Vulnerabilities list is the closest thing to an authoritative, real-time signal that a vulnerability is being actively weaponised. It is not vendor marketing. It is confirmed exploitation data. Any IT support provider who does not treat KEV additions as immediate action items is not providing adequate service.
The patch exists. This is not a situation where you are being asked to mitigate a vulnerability with no fix available. Microsoft has released the patch. NGINX has released the patch. The cost of applying them is an afternoon of IT work. The cost of not applying them, in the event of a successful breach, includes incident response, potential ICO notification under GDPR, reputational damage, and operational disruption.
On-premise email is a declining security posture. For businesses still running on-premise Exchange: this incident is a useful prompt to review whether the operational cost of maintaining on-premise email infrastructure is justified. Cloud-hosted email removes this entire class of infrastructure vulnerability. That conversation has a time and place; the time is not mid-incident, but the place can be the next IT review.
What to Do This Week
-
Determine your email infrastructure. Ask your IT support or check your Microsoft licensing: are you on on-premise Exchange or cloud-hosted Microsoft 365? If on-premise, confirm that the patch for CVE-2026-42897 has been applied and request written confirmation.
-
Check your web hosting. Ask your hosting provider or MSP: what web server software does your site run on? If NGINX is in the stack, has CVE-2026-42945 been patched? Request written confirmation. If your provider cannot answer within 24 hours, escalate.
-
Review your IT support SLA for patch response. CISA KEV additions should trigger same-day or next-day action from any competent IT provider. If your SLA does not specify a response time for critical vulnerability patches, that gap needs closing.
-
If you use Azure Local in any configuration, specifically disconnected or hybrid, raise CVE-2026-42822 with your IT provider this week. CVSS 10.0 and network-accessible privilege escalation is not a patch-at-leisure situation.
-
Document the conversation. For GDPR accountability purposes, keep a record of when you raised these vulnerabilities with your IT provider and when they confirmed remediation. If a breach occurs and you cannot demonstrate that you took reasonable steps, the ICO’s assessment of your compliance position is harder to defend.
| Source | Article |
|---|---|
| CISA | Known Exploited Vulnerabilities Catalog |
| Cyber Security News | CISA Warns of Microsoft Exchange Server Vulnerability Exploited in Attacks |
| Cyber Security News | Hackers Actively Exploiting Critical NGINX RCE Vulnerability in the Wild |
| NIST NVD | CVE-2026-42897 Detail |
| NIST NVD | CVE-2026-42945 Detail |
| NIST NVD | CVE-2026-42822 Detail |
| The Hacker News | Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More |
| TheCyberThrone | Pwn2Own Berlin 2026: A Detailed Report |
| NCSC | Vulnerability management guidance |