Microsoft has revealed a newly discovered security vulnerability affecting on-premise versions of Exchange Server, warning that the flaw is already being actively exploited in real-world attacks.
The vulnerability, identified as CVE-2026-42897, carries a CVSS severity score of 8.1 and has been classified as a spoofing vulnerability caused by a cross-site scripting (XSS) issue. An anonymous security researcher was credited with discovering and responsibly disclosing the flaw.
According to Microsoft, the vulnerability stems from the improper neutralization of user input during web page generation in Microsoft Exchange Server. This weakness allows an unauthenticated attacker to execute spoofing attacks remotely over a network.
How the Attack Works
Microsoft explained that attackers can exploit the flaw by sending a specially crafted email to a target user. If the victim opens the email using Outlook Web Access (OWA) and certain interaction conditions are met, malicious JavaScript code may execute within the user’s browser session.
The company has confirmed that the vulnerability is under active exploitation, raising concerns for organizations still running vulnerable on-premise Exchange environments.
Affected Exchange Server Versions
The following on-premise Exchange Server editions are impacted:
- Exchange Server 2016 (all update levels)
- Exchange Server 2019 (all update levels)
- Exchange Server Subscription Edition (SE) (all update levels)
Microsoft clarified that Exchange Online is not affected by the vulnerability.
Microsoft Releases Temporary Mitigation
While a permanent security patch is still in development, Microsoft has issued temporary protections through the Exchange Emergency Mitigation Service (EEMS).
The mitigation is automatically deployed using a URL rewrite configuration and is enabled by default in supported environments. Organizations that have disabled the service are strongly advised to re-enable it immediately.
Mitigation Steps for Air-Gapped Environments
For organizations unable to use the Exchange Emergency Mitigation Service due to air-gap or restricted network environments, Microsoft recommends manually applying mitigations using the Exchange On-Premises Mitigation Tool (EOMT).
Steps to Apply the Mitigation
- Download the latest version of the Exchange On-Premises Mitigation Tool (EOMT).
- Run the mitigation script using an elevated Exchange Management Shell (EMS).
Single Server Command
.\EOMT.ps1 -CVE "CVE-2026-42897"
Apply to All Exchange Servers
Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"
Known Mitigation Display Issue
Microsoft also acknowledged a cosmetic issue where the mitigation status may display the message:
“Mitigation invalid for this exchange version.”
The company clarified that the mitigation is still successfully applied as long as the status shows “Applied.” Microsoft said it is investigating the display issue.
Limited Details on Ongoing Exploitation
At this time, Microsoft has not shared technical details about the attacks, including:
- The threat actors involved
- The scale of exploitation
- Specific targeted sectors or organizations
- Whether any attacks have resulted in successful compromise
Security experts recommend that administrators immediately apply Microsoft’s recommended mitigations and closely monitor Exchange Server environments for suspicious activity until an official patch becomes available.
