Skip to main content
Emerging ThreatsMalware & Ransomware

Microsoft Warns of Severe Zero-Day Flaw in On-Prem Exchange Servers

Rack-mounted servers and network equipment in a dimly lit server room.

"If the EM Service is enabled, which it is by default, the mitigation has already been automatically applied," Microsoft warned in a security advisory published on May 14.

The vulnerability: CVE-2026-42897 and how it works

Microsoft disclosed a high-severity zero-day vulnerability tracked as CVE-2026-42897 that allows an attacker to send arbitrary code to a victim by sending a specially crafted email to an Outlook user. The underlying flaw is an improper neutralization of input during web page generation—commonly called cross-site scripting (XSS)—in Microsoft Exchange Server. According to the advisory, this XSS weakness can enable an unauthorized attacker to perform spoofing over a network. The vulnerability carries a CVSS score of 8.1, classifying it as high-severity.

Which Exchange installations are affected — and which are not

Microsoft says the zero-day affects on-premises Exchange Server installations but does not impact Exchange Online. Specifically, the advisory lists the following affected versions:

  • All existing Exchange Server 2016 versions
  • All existing Exchange Server 2019 versions
  • All existing Exchange Server Subscription Edition (SE) versions

Microsoft has not yet released a patch for these servers and is actively working on security updates.

Temporary mitigations: Exchange Emergency Mitigation (EM) Service and EOMT

While a full patch is in development, Microsoft published two mitigation approaches administrators can use before updates are available. The first—and the company’s recommended option—is to rely on the Exchange Emergency Mitigation (EM) Service. As Microsoft noted, if that service is enabled (it is enabled by default), “the mitigation has already been automatically applied.” Administrators are advised to verify mitigations for CVE-2026-42897 (identified as M2.1.x) via the documented guidance, to run the Exchange Health Checker script to check EM Service and mitigation status, and to enable the EM Service if it is currently disabled.

Microsoft also warned that servers running versions older than March 2023 cannot receive new mitigations through the EM Service, making other response paths necessary for those environments.

For disconnected or air-gapped environments where the EM Service cannot be used, Microsoft documented a second approach: administrators can manually apply the mitigation by downloading the latest Exchange On-premises Mitigation Tool (EOMT) and running the provided PowerShell script from an elevated Exchange Management Shell. The script may be targeted at a single server or across all servers using the CVE-2026-42897 identifier.

Operational impacts and update distribution constraints

Microsoft cautioned that both mitigation options can introduce operational side effects. The company explicitly acknowledged that applying the mitigations may disable or disrupt certain features, citing examples such as OWA Print Calendar and Inline images. Organizations will need to weigh the availability trade-offs of mitigations against the exposure risk until patches arrive.

Microsoft also set expectations about how patches will be delivered: the Exchange Subscription Edition (SE) update will be published as a publicly available security update, while updates for Exchange 2016 and Exchange 2019 will be released only to customers enrolled in the Period 2 Exchange Server Extended Security Update (ESU) program.

What this means for technologists, administrators, and end users

  • Technologists and security teams: Verify whether the EM Service is enabled (it is enabled by default) and confirm that the mitigation M2.1.x for CVE-2026-42897 is applied; run the Exchange Health Checker script and consult Microsoft documentation for validation steps.
  • Administrators of air-gapped or disconnected environments: Plan to download and run the Exchange On-premises Mitigation Tool (EOMT) and execute the PowerShell script from an elevated Exchange Management Shell, targeting affected servers with the CVE identifier, while accounting for the potential loss of functionality.
  • Procurement and compliance teams running Exchange 2016 or 2019: Note that security updates for those versions will be available only to customers enrolled in the Period 2 ESU program; consider enrollment status when planning patching and risk mitigation timelines.
  • End users: Be aware that some Exchange web features—such as printing calendars from OWA or inline images—may be unavailable if mitigations are applied.

Microsoft is working on security patches and has provided immediate mitigations to reduce exploitation risk. Administrators should confirm the EM Service status or apply the EOMT where EM cannot reach servers, and prepare for the staged distribution of fixes—public for Exchange SE, ESU-only for Exchange 2016 and 2019—when Microsoft releases the updates.

Original story: https://www.infosecurity-magazine.com/news/microsoft-zeroday-exchange-servers/