Skip to main content

Microsoft Flags Exchange Zero-Day Flaw Exploited in Targeted Attacks

Laptop screen shows an email inbox with a suspicious message highlighted in a bright, neutral room near a window.

CVE-2026-42897: a cross-site scripting weakness that lets an attacker run arbitrary JavaScript when a recipient opens a crafted message in Outlook on the web.

CVE-2026-42897: the flaw and how it is exploited

Microsoft described CVE-2026-42897 as a spoofing vulnerability that affects up-to-date Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE). According to the Exchange Team, "an attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context." The company characterized the issue as high-severity and said it is being exploited in active attacks targeting Outlook on the web users.

Exchange Emergency Mitigation Service (EEMS) and immediate protection

Because patches were not yet available at the time of Microsoft’s advisory, the company pointed administrators to the Exchange Emergency Mitigation Service (EEMS) as the primary immediate defense. Microsoft said EEMS "will provide automatic mitigation for Exchange Server 2016, 2019, and SE on-premises servers." The Exchange Team recommended: "Using EM Service is the best way for your organization to mitigate this vulnerability right away. If you have EM Service currently disabled, we recommend you enable it right away."

Microsoft also warned that "EM Service will not be able to check for new mitigations if your server is running Exchange Server version older than March 2023," making version currency a gating factor for automatic mitigation delivery.

EEMS background and operational details

EEMS was introduced in September 2021 to provide automated protection for on-premises Exchange servers against ongoing attacks by applying interim mitigations for high-risk vulnerabilities that are likely being actively exploited. The service "runs as a Windows service on Exchange Mailbox servers and is automatically enabled on servers with the Mailbox role." Microsoft added EEMS after many hacking groups exploited the unmitigated ProxyLogon and ProxyShell zero-days to breach Internet-exposed Exchange servers.

Manual mitigation for air-gapped and restricted environments

For administrators who cannot rely on EEMS—notably those in air-gapped environments—Microsoft published guidance to apply the mitigation manually using the Exchange on-premises Mitigation Tool (EOMT). Admins are instructed to download the latest EOMT and run the mitigation via an elevated Exchange Management Shell (EMS) using one of the following commands:

  • Single server:

    .\EOMT.ps1 -CVE "CVE-2026-42897"

  • All servers:

    Get-ExchangeServer | Where-Object {{ $_.ServerRole -ne "Edge" }} | .\EOMT.ps1 -CVE "CVE-2026-42897"

Microsoft framed these options as the practical way for admins without EEMS access to apply the available mitigations immediately.

Patch timeline, update eligibility, and related government guidance

Microsoft said it plans to release patches for Exchange SE RTM, Exchange 2016 CU23, and Exchange Server 2019 CU14 and CU15. However, updates for Exchange 2016 and 2019 will be available only to customers enrolled in the Period 2 Exchange Server ESU program. The company’s advisory thus ties long-term remediation to both product version and support-enrollment status.

Microsoft’s announcement also noted that in October, weeks after Exchange 2016 and 2019 reached end of support, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) released guidance to help IT administrators harden Microsoft Exchange servers against attacks—context that reinforces why interim mitigations matter when full patches are delayed or tied to extended-support programs.

How technologists, administrators, and air-gapped environments are responding

Technologists and security teams: will be watching whether EEMS detects and deploys a mitigation automatically and whether their servers are recent enough (post-March 2023) to receive those updates. Teams with disabled EM Service were explicitly urged by Microsoft to enable it immediately.

IT administrators and procurement leaders: must decide between relying on EEMS, applying EOMT manually in constrained networks, or enrolling in the Period 2 Exchange Server ESU program to obtain the forthcoming updates for older supported cumulative updates.

Air-gapped environments: are directed to download the latest EOMT and run the precise EMS commands Microsoft published to apply the mitigation locally, since EEMS cannot reach isolated servers.

Microsoft’s advisory frames CVE-2026-42897 as an urgent operational problem with a clear short-term fix path—automatic mitigation via EEMS or manual deployment via EOMT—and a conditional long-term fix tied to forthcoming patches and ESU eligibility. Organizations that operate Exchange on-premises face a concrete decision now: enable and trust EEMS, run the manual mitigation script, or ensure they are enrolled and eligible for the Exchange Server ESU program before the supplied patches arrive.

Source: BleepingComputer — Microsoft warns of Exchange zero-day flaw exploited in attacks