Microsoft warns of Exchange zero-day flaw exploited in attacks

On Thursday, Microsoft shared mitigations for a high-severity Exchange Server vulnerability exploited in attacks that allow threat actors to execute arbitrary code via cross-site scripting (XSS) while targeting Outlook on the web users.

Microsoft describes this security flaw (CVE-2026-42897) as a spoofing vulnerability affecting up-to-date Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) software.

While patches aren't yet available to permanently fix the vulnerability, the company added that the Exchange Emergency Mitigation Service (EEMS) will provide automatic mitigation for Exchange Server 2016, 2019, and SE on-premises servers.

"An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context," the Exchange Team said.

"Using EM Service is the best way for your organization to mitigate this vulnerability right away. If you have EM Service currently disabled, we recommend you enable it right away. Please note that EM Service will not be able to check for new mitigations if your server is running Exchange Server version older than March 2023."

EEMS was introduced in September 2021 to provide automated protection for on-premises Exchange servers, securing them against ongoing attacks by applying interim mitigations for high-risk (and likely actively exploited) vulnerabilities.

EEMS runs as a Windows service on Exchange Mailbox servers and is automatically enabled on servers with the Mailbox role. The security feature was added after many hacking groups exploited ProxyLogon and ProxyShell zero-days (which lacked patches or mitigation information) to breach Internet-exposed Exchange servers.

Admins with servers in air-gapped environments can also mitigate the flaw by downloading the latest Exchange on-premises Mitigation Tool (EOMT) version and applying the mitigation by running the script via an elevated Exchange Management Shell (EMS) with one of the following commands:

• Single server: .\EOMT.ps1 -CVE "CVE-2026-42897"

• All servers: Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"

Microsoft plans to release patches for Exchange SE RTM, Exchange 2016 CU23, and Exchange Server 2019 CU14 and CU15, but says that updates for Exchange 2016 and 2019 will only be available to customers enrolled in the Period 2 Exchange Server ESU program.

In October, weeks after Exchange 2016 and 2019 reached the end of support, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) released guidance to help IT admins harden Microsoft Exchange servers against attacks.