On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email

A newly disclosed security vulnerability affecting on-premises Microsoft Exchange Server is being actively exploited in the wild, raising concerns for organizations still relying on self-hosted email infrastructure.

The flaw, tracked as CVE-2026-42897, affects multiple versions of Microsoft Exchange and allows attackers to execute malicious JavaScript through specially crafted emails under certain conditions.

Spoofing Flaw Enables Cross-Site Scripting via Email

The vulnerability impacts on-premises deployments of Microsoft Exchange Server and is classified as a spoofing issue caused by improper input handling that leads to cross-site scripting (XSS).

According to Microsoft, an attacker can exploit the flaw by sending a specially crafted email. When the message is opened through Outlook Web Access and specific interaction conditions are met, malicious JavaScript may execute within the user’s browser session.

Active Exploitation Confirmed

Microsoft has confirmed that the vulnerability is being actively exploited, though details about the threat actors, attack scale, or targeted regions have not yet been disclosed.

The company assigned the issue an “Exploitation Detected” status, indicating real-world abuse rather than theoretical risk.

Affected Exchange Server Versions

The vulnerability impacts multiple on-premises versions, including:

• Exchange Server 2016 (all update levels)
• Exchange Server 2019 (all update levels)
• Exchange Server Subscription Edition (all update levels)

Microsoft clarified that Exchange Online is not affected.

Temporary Mitigation Available Through Microsoft Service

To reduce immediate risk, Microsoft has deployed a temporary safeguard through its Exchange Emergency Mitigation Service. The service applies automatic protections using URL rewrite rules and is enabled by default on supported systems.

Administrators who do not have it enabled are advised to activate the Windows service immediately.

Offline and Air-Gapped Systems Guidance

For environments where automatic mitigation cannot be used, Microsoft recommends applying the Exchange On-Premises Mitigation Tool (EOMT) manually via Exchange Management Shell.

Administrators can apply protections on a single server or across all servers in an environment using provided scripts.

Microsoft also acknowledged a cosmetic issue where mitigation status may incorrectly display warnings, but confirmed that protections remain effective when marked as “Applied.”

No Patch Yet, Investigation Ongoing

At the time of disclosure, Microsoft has not released a permanent security patch. The company continues to investigate the root cause and exploitation methods while urging administrators to apply mitigations without delay.

No information has been released regarding the identity of attackers or whether successful breaches have occurred.

CISA Adds Vulnerability to Known Exploited List

Following confirmation of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) catalog.

Federal agencies are required to apply mitigation measures by May 29, 2026, highlighting the severity of the threat.

Security Recommendations

Security experts strongly recommend that organizations:

• Enable Exchange Emergency Mitigation Service immediately
• Apply Microsoft’s mitigation tool in air-gapped environments
• Monitor Outlook Web Access activity for suspicious behavior
• Restrict external email interactions where possible until a patch is released

Conclusion

The active exploitation of CVE-2026-42897 underscores ongoing risks facing on-premises email infrastructure. With attackers leveraging crafted emails to trigger browser-based code execution, organizations are urged to apply mitigations urgently while awaiting a permanent fix from Microsoft.