Microsoft has issued an urgent warning regarding a critical zero-day vulnerability, CVE-2026-42897, affecting on-premises versions of its Exchange Server. This flaw is reportedly being actively exploited in the wild, allowing attackers to execute arbitrary JavaScript code within a user's browser context by sending a specially crafted email.

Key Takeaways

• A new zero-day vulnerability, CVE-2026-42897, impacts on-premises Microsoft Exchange Server 2016, 2019, and Subscription Edition.

• The vulnerability allows for cross-site scripting (XSS) and spoofing, enabling attackers to execute arbitrary JavaScript.

• Active exploitation in the wild has been confirmed by Microsoft.

• Temporary mitigations are available via the Exchange Emergency Mitigation Service or the Exchange on-premises Mitigation Tool (EOMT).

• Permanent fixes are in development, with updates for Exchange SE being publicly available and those for 2016/2019 requiring enrollment in the Extended Security Updates (ESU) program.

The Vulnerability Explained

Tracked as CVE-2026-42897, the vulnerability is a cross-site scripting (XSS) flaw that stems from improper input neutralization during web page generation. This allows an unauthorized attacker to perform spoofing over a network. The exploit can be triggered when a user opens a specially crafted email within Outlook Web Access (OWA), provided certain interaction conditions are met. Successful exploitation results in arbitrary JavaScript code execution within the context of the user's web browser.

Affected Versions and Exploitation

Microsoft has confirmed that the following on-premises Exchange Server versions are affected, regardless of their update level:

• Exchange Server 2016

• Exchange Server 2019

• Exchange Server Subscription Edition (SE)

Exchange Online is not impacted by this vulnerability. Microsoft has tagged the vulnerability with an "Exploitation Detected" assessment, indicating that threat actors are already leveraging this flaw. However, details regarding the specific methods of exploitation, the identity of the threat actors, or the scale of the attacks remain scarce.

Mitigation and Permanent Fixes

Microsoft is providing temporary mitigations while a permanent fix is developed. The primary recommended mitigation is through the Exchange Emergency Mitigation Service (EEMS), which is enabled by default and automatically applies the necessary configurations via URL rewrite. Administrators can verify its status using the Exchange Health Checker script. For environments unable to use EEMS, such as air-gapped systems, the Exchange on-premises Mitigation Tool (EOMT) can be used to manually apply the mitigation by running a provided PowerShell script.

It is important to note that these temporary mitigations may cause some functionalities to be disrupted, including OWA Print Calendar and the display of inline images in the OWA reading pane. OWA Light may also not function correctly.

Permanent security updates are in the works. An update for Exchange Server SE will be publicly released. However, updates for Exchange Server 2016 and 2019 will only be available to customers enrolled in the Period 2 Exchange Server Extended Security Updates (ESU) program.

Sources

• On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email, The Hacker News.

• Exploited Exchange Server flaw turns OWA inboxes into script launchpads, The Register.

• Unpatched Microsoft Exchange Server vulnerability exploited (CVE-2026-42897), Help Net Security.

• Microsoft Reports Severe Zero-Day Flaw in On-Prem Exchange Servers, Infosecurity Magazine.

• Microsoft warns of Exchange zero-day flaw exploited in attacks, BleepingComputer.