Microsoft has warned organisations running on-premises Exchange Server to apply emergency mitigations after confirming active exploitation of a zero-day flaw that can be triggered through crafted email opened in Outlook Web Access.The vulnerability, tracked as CVE-2026-42897, affects Exchange Server 2016, Exchange Server 2019 and Exchange Server Subscription Edition. Exchange Online is not affected, narrowing the immediate exposure to organisations that still operate self-managed mail infrastructure in corporate, government, health, education and regulated-sector environments.
The flaw stems from improper neutralisation of input during web page generation, a cross-site scripting weakness that can allow an unauthorised attacker to perform spoofing over a network. Successful exploitation may execute arbitrary JavaScript in a user’s browser context when a specially crafted message is opened in Outlook Web Access and certain interaction conditions are met.
The issue carries a high-severity CVSS v3.1 score of 8.1 in vendor-linked data, although other vulnerability databases may display lower provisional scoring while enrichment is still under way. Its operational seriousness lies less in the technical label of spoofing and more in Exchange Server’s position as a high-value gateway into enterprise communications, authentication flows and sensitive internal correspondence.
Microsoft has not yet issued a permanent patch. Instead, it has pushed temporary protection through the Exchange Emergency Mitigation Service, which is designed to apply interim safeguards on supported on-premises servers during active exploitation. Administrators in restricted or air-gapped networks have been directed to use the Exchange On-premises Mitigation Tool and apply the mitigation manually.
The temporary mitigation is not without side effects. Some Outlook Web Access functions may be disrupted, including calendar printing and display of inline images in the reading pane. The older OWA light interface may also be affected. These limitations are likely to be outweighed for most organisations by the risk of leaving internet-exposed mail servers vulnerable while attackers probe for unprotected systems.
The affected platforms include Exchange Server Subscription Edition RTM, Exchange Server 2019 Cumulative Update 14 and 15, and Exchange Server 2016 Cumulative Update 23. Organisations running older builds face a more difficult position because emergency mitigations and future fixes may not apply reliably to unsupported servers. Administrators have been urged to confirm whether the emergency mitigation service is enabled, verify that mitigation M2.1 has been applied, and review access logs for suspicious Outlook Web Access activity.
CISA has added CVE-2026-42897 to its Known Exploited Vulnerabilities catalogue, setting a May 29, 2026 deadline for covered federal civilian agencies to apply vendor mitigation or discontinue use if mitigation is unavailable. While that directive formally applies to US federal systems, the catalogue is widely used by private-sector security teams as a prioritisation benchmark for exploited vulnerabilities.
Exchange Server has long been a favoured target for state-linked and criminal hacking groups because successful compromise can expose email archives, credentials and internal routing information. Previous waves of exploitation, including the ProxyLogon and ProxyShell campaigns, showed how quickly Exchange weaknesses can move from targeted attacks to broad opportunistic scanning once technical details circulate.
The timing adds pressure for organisations still managing migration from older Exchange deployments. Exchange Server 2016 and 2019 entered a constrained lifecycle path before the Subscription Edition became the strategic on-premises option for customers that cannot fully move to cloud-hosted mail. Many enterprises still retain local Exchange servers for hybrid identity, compliance, data residency or operational reasons, creating a durable attack surface even as cloud mail adoption expands.
Security teams are expected to prioritise three steps: confirm server inventory, validate the mitigation state, and reduce exposure of Outlook Web Access where business operations allow. Common defensive measures include limiting external OWA access, placing access behind VPN or conditional controls, monitoring for abnormal mailbox activity, and preparing for rapid deployment of Microsoft’s permanent update once released.
The disclosure also highlights a wider industry concern over security debt in legacy collaboration systems. Email platforms sit at the intersection of identity, document exchange and executive communications, making even browser-context flaws potentially consequential when chained with phishing, session theft or post-compromise movement.
Microsoft has credited an anonymous researcher with reporting the issue. The company has not released detailed indicators of compromise or public information about the actors exploiting the flaw, leaving defenders to rely on behavioural monitoring, web access logs, message tracing and endpoint telemetry to identify suspicious activity.
Topics
Technology