Microsoft Exchange Server faces two simultaneous attack tracks this cycle: CVE-2026-42897, a confirmed actively exploited XSS in Outlook on the Web (OWA) enabling arbitrary JavaScript execution and downstream session hijacking, and an unpatched Pwn2Own Exchange SYSTEM RCE chain with a 90-day disclosure deadline. Windows 11 also carries unpatched privilege escalation findings from Pwn2Own Berlin 2026. The combination of an actively weaponized web-layer vulnerability and a known-but-unpatched RCE chain against the same product creates an unusually high concurrent risk posture for Exchange-dependent organizations.