Exchange Server Zero-Day CVE-2026-42897 Exploited via Crafted Emails

Microsoft disclosed a zero-day vulnerability in on-premises Exchange Server that attackers are already exploiting in the wild. CVE-2026-42897 is a cross-site scripting flaw in Outlook Web Access that lets attackers execute arbitrary JavaScript in a victim's browser by sending a specially crafted email.

The vulnerability carries a CVSS score of 8.1 (High) and affects Exchange Server 2016, 2019, and Exchange Server Subscription Edition. Exchange Online is not impacted.

How the Attack Works

The attack requires minimal user interaction. An attacker sends a malicious email to the target. If the recipient opens that email in OWA and certain conditions are met, JavaScript code embedded in the message executes within their browser session.

Microsoft hasn't disclosed specifics about the exploitation conditions or the threat actors involved. The company confirmed active exploitation but is withholding details that could enable broader attacks.

This disclosure came just days after Microsoft's May Patch Tuesday addressed 120 other vulnerabilities. CVE-2026-42897 was not among them.

Affected Versions

The vulnerability impacts all recent Exchange Server builds:

• Exchange Server 2016 CU23 (April 2024 and later)
• Exchange Server 2019 CU14 and CU15
• Exchange Server Subscription Edition (all builds before May 2026)

Organizations still running older cumulative updates should not assume they're safe. Microsoft's advisory specifically targets recent builds, but the underlying code flaw may exist in earlier versions.

Mitigation Without a Patch

Microsoft released two mitigation approaches since no patch exists yet.

Option 1: Exchange Emergency Mitigation Service (Recommended)

If your Exchange environment has the Emergency Mitigation (EM) Service enabled, and it's on by default, the mitigation has already been applied automatically. According to Microsoft's advisory, administrators should verify the service is running and confirm mitigation M2 shows as applied.

Option 2: Manual Mitigation for Air-Gapped Environments

For environments without internet connectivity, administrators can download the latest Exchange on-premises Mitigation Tool (EOMT) and run it via an elevated Exchange Management Shell.

Known Side Effects

Applying the mitigations breaks some OWA functionality:

• Print Calendar feature stops working
• Inline images may not display in the reading pane
• OWA Light mode becomes non-functional

These tradeoffs are acceptable given the active exploitation, but organizations relying heavily on OWA should prepare users for degraded functionality until Microsoft releases a proper patch.

Why This Matters

Exchange Server zero-days remain high-value targets. The ProxyLogon and ProxyShell campaigns from 2021 demonstrated how quickly attackers weaponize Exchange vulnerabilities at scale. Even with organizations migrating to Exchange Online, tens of thousands of on-premises deployments remain in production.

The XSS attack vector is particularly concerning for environments where OWA serves as the primary email interface. Successful exploitation could lead to session hijacking, credential theft, or launching secondary attacks against other internal systems.

This isn't the first time Exchange Server has been exploited shortly after disclosure. Researchers at Pwn2Own Berlin just demonstrated multiple zero-days against Microsoft products, and the YellowKey and GreenPlasma disclosures from earlier this week show attackers and researchers alike are finding plenty of attack surface. Organizations running on-premises Exchange should treat this as a priority remediation.

Recommended Actions

1. Verify EM Service status on all Exchange servers and confirm mitigation M2 is active
2. Block external OWA access temporarily if business requirements permit
3. Audit email logs for unusual message patterns targeting executives or IT staff
4. Monitor for patches as Microsoft has committed to releasing updates for Exchange SE RTM, 2016 CU23, and 2019 CU14/CU15

Microsoft Exchange vulnerabilities consistently attract nation-state actors and ransomware operators alike. The combination of active exploitation and no available patch makes this a situation where waiting is not an option.