Skip to main content
Emerging ThreatsMalware & Ransomware

Microsoft Exchange Servers Targeted by Active CVE-2026-42897 Exploit

Rack of servers with a prominent Exchange Server device and nearby laptop in a brightly-lit data center.

"Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network," the tech giant said in a Thursday advisory.

CVE-2026-42897: what the bug is and how Microsoft rates it

Microsoft has disclosed a vulnerability tracked as CVE-2026-42897 with a CVSS score of 8.1. The company described the flaw as a cross-site scripting (XSS) issue that leads to a spoofing vulnerability. Microsoft assigned the vulnerability an "Exploitation Detected" assessment and credited an anonymous researcher with reporting the issue.

Attack vector: crafted email opened in Outlook Web Access

According to Microsoft's advisory, an attacker can weaponize the vulnerability by sending a crafted email to a user. If the recipient opens that message in Outlook Web Access and the session meets certain interaction conditions, arbitrary JavaScript can execute in the context of the user's browser. Redmond framed the problem as an XSS-based spoof that enables an unauthorized actor to perform spoofing over a network.

Mitigation options: Exchange Emergency Mitigation Service and EOMT

Microsoft says it is offering a temporary mitigation and is preparing a permanent fix. The primary temporary measure is the Exchange Emergency Mitigation Service, which will apply a mitigation automatically via a URL rewrite configuration and is enabled by default. Microsoft added that, if the service is not on, users are advised to enable the Windows service.

For environments that cannot use the Exchange Emergency Mitigation Service because of air-gap restrictions, Microsoft provided a per-server mitigation script and instructions to apply it across servers. Administrators are instructed to download the latest Exchange on-premises Mitigation Tool (EOMT) from aka[.]ms/UnifiedEOMT and run the tool from an elevated Exchange Management Shell (EMS):

  • Single server: .\EOMT.ps1 -CVE "CVE-2026-42897"
  • All servers: Get-ExchangeServer | Where-Object {{ $_.ServerRole -ne "Edge" }} | .\EOMT.ps1 -CVE "CVE-2026-42897"

Microsoft also acknowledged a cosmetic issue where the mitigation may show "Mitigation invalid for this exchange version" in the Description field; the Exchange Team said "This issue is cosmetic and the mitigation DOES apply successfully if the status is shown as 'Applied,'" and that it is investigating how to address the display inconsistency.

Affected products and what is not affected

The advisory lists the following on-premises Exchange Server versions as affected: Exchange Server 2016 (any update level), Exchange Server 2019 (any update level), and Exchange Server Subscription Edition (SE) (any update level). Microsoft explicitly stated that Exchange Online is not impacted by CVE-2026-42897.

What this means for technologists, affected enterprises, and end users

  • Technologists and security teams: Microsoft has provided both an automated mitigation via the Exchange Emergency Mitigation Service and a scripted offline option (EOMT). Teams will need to verify whether the mitigation service is active by default in their environments and, where it is not, enable the Windows service or run EOMT from an elevated EMS as directed.
  • Affected enterprises and procurement leaders: On-premises Exchange deployments running 2016, 2019, or Subscription Edition at any update level should assume exposure until mitigations are confirmed applied. Enterprises that maintain air-gapped servers should follow the EOMT procedure from aka[.]ms/UnifiedEOMT.
  • End users: The vulnerability requires a user to open a crafted email in Outlook Web Access under specific interaction conditions. Microsoft recommended applying the provided mitigations in the interim while it prepares a permanent fix.

Microsoft noted there are currently no public details on how the vulnerability is being exploited, the identity of any threat actor behind observed activity, the scale of exploitation, who targets might be, or whether any of those attacks were successful. In the interim, Microsoft recommends applying the mitigations it published.

Read the original Microsoft advisory and reporting at: https://thehackernews.com/2026/05/on-prem-microsoft-exchange-server-cve.html