Just 48 hours after releasing Patch Tuesday fixes that addressed 137 vulnerabilities but zero zero-days, Microsoft disclosed an Exchange Server flaw that attackers are already exploiting in the wild.
Tracked as CVE-2026-42897, the vulnerability carries a CVSS score of 8.1 and affects all versions of Exchange Server 2016, 2019, and Subscription Edition (SE). It does not impact Exchange Online. The flaw is a cross-site scripting (XSS) and spoofing issue in Outlook Web Access. An attacker can send a specially crafted email that, when opened by a user under certain conditions, executes arbitrary JavaScript in the browser context.
"Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network," Microsoft said in its advisory. A permanent patch is not yet available. Microsoft is directing administrators to the Exchange Emergency Mitigation Service (EEMS), introduced in September 2021 after state-backed hacking groups exploited ProxyLogon and ProxyShell zero-days to breach internet-exposed Exchange servers. The service runs as a Windows service on Mailbox servers and is enabled by default. If already active, the mitigation has already been applied automatically.
Administrators can verify by running the Exchange Health Checker script or checking documentation for CVE-2026-42897 mitigations. For air-gapped or disconnected environments, Microsoft offers a manual option: download the latest Exchange On-premises Mitigation Tool and run a PowerShell script via elevated Exchange Management Shell.
There is a catch. Servers running Exchange versions older than March 2023 cannot receive new mitigations through EEMS. And the mitigations come with side effects: OWA Print Calendar may stop working, inline images may not display correctly in the reading pane, and the deprecated OWA light mode is broken entirely.
Microsoft plans to release patches for Exchange SE RTM, Exchange 2016 CU23, and Exchange 2019 CU14 and CU15. But the Exchange 2016 and 2019 updates will only be available to customers enrolled in the Period 2 Extended Security Updates program, leaving unlicensed on-premises servers without a path to a permanent fix. An anonymous researcher has been credited for reporting the vulnerability. Microsoft has not shared details on the active attacks exploiting CVE-2026-42897.
Over the last five years, CISA has added 19 Exchange Server vulnerabilities to its catalog of actively exploited flaws, 14 of which were abused in ransomware attacks. CVE-2026-42897 has not yet been added to CISA's Known Exploited Vulnerabilities list.
