Key Takeaways
- Microsoft confirmed a zero‑day remote‑code‑execution flaw in on‑premises Exchange Server, tracked as CVE‑2026‑42897.
- The vulnerability is a cross‑site‑scripting (XSS) issue that lets an unauthenticated attacker run arbitrary JavaScript in Outlook Web Access, leading to spoofing and potential full system compromise.
- Affected versions include Exchange Server 2016, 2019, and Subscription Edition (SE) at any update level; Exchange Online is not impacted.
- CISA added CVE‑2026‑42897 to its Known Exploited Vulnerabilities Catalog on May 15, warning that the flaw is under active exploitation.
- Microsoft recommends enabling the Exchange Emergency Mitigation Service (EEMS) as an immediate workaround; a formal patch is pending.
- Organizations should run the Exchange Health Checker script to verify that EEMS is active and that mitigation ID M2.1.x is applied.
- Security experts stress that the flaw’s proximity to identity and communication layers makes it a high‑value target, urging rapid validation of mitigations and consideration of moving to Exchange Online or isolating servers behind a zero‑trust gateway.
Overview of the Zero‑Day
On May 14, Microsoft disclosed a newly discovered zero‑day vulnerability affecting its on‑premises Exchange Server platforms. The flaw, assigned CVE‑2026‑42897, was highlighted after being demonstrated at the Pwn2Own Berlin hacking event and subsequently added to CISA’s Known Exploited Vulnerabilities Catalog on May 15. Although the vulnerability was responsibly disclosed and not released into the wild, CISA warned that it is already being actively exploited by threat actors. This places Exchange Server once again at the forefront of enterprise security concerns, given its central role in handling email, calendaring, and identity services.
Technical Details of CVE‑2026‑42897
Microsoft describes CVE‑2026‑42897 as a spoofing vulnerability rooted in improper neutralization of input during web page generation—essentially a cross‑site‑scripting (XSS) condition. When an attacker sends a specially crafted email that, once opened in Outlook Web Access (OWA), executes arbitrary JavaScript in the victim’s browser context, the attacker can manipulate the OWA interface, steal session tokens, or launch further payloads. Because the exploit requires no authentication and only needs the user to view the malicious email, it provides a stealthy entry point into the Exchange environment. Damon Small of Xcape, Inc., emphasized that the flaw enables unauthenticated remote code execution, effectively giving attackers a direct route to corporate identity and communications systems.
Impacted Versions and Scope
The zero‑day affects all on‑premises Exchange Server editions regardless of update level: Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE). Notably, Microsoft’s cloud‑based Exchange Online service is not vulnerable, meaning organizations that have migrated to the Microsoft 365 suite are insulated from this particular flaw. For those still running legacy on‑premises deployments, the exposure is broad, as any server running the affected versions can be targeted simply by delivering a malicious email to a user’s mailbox.
CISA Alert and Active Exploitation
Following Microsoft’s disclosure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) placed CVE‑2026‑42897 on its Known Exploited Vulnerabilities Catalog on May 15. CISA’s advisory stressed that attackers are already leveraging the vulnerability in the wild, urging all organizations to prioritize timely remediation. The agency highlighted that the attack vector—sending a malicious email that triggers XSS in OWA—poses a significant risk because it bypasses traditional authentication controls and can lead to credential theft, data exfiltration, or further lateral movement within the network.
Mitigation via Exchange Emergency Mitigation Service
In the absence of a formal patch, Microsoft has advised organizations to employ the Exchange Emergency Mitigation Service (EEMS) as an immediate defensive measure. EEMS can apply virtual patches that block the exploited URI patterns used by the XSS payload. Microsoft stated, “Using EM Service is the best way for your organization to mitigate this vulnerability right away,” and recommended that any disabled EEMS be enabled without delay. The mitigation is delivered as a temporary “virtual band‑aid” that blocks the malicious input until a permanent patch is released.
How to Verify Mitigation
To confirm that EEMS is functioning correctly and that the specific mitigation for CVE‑2026‑42897 is applied, organizations should run the Exchange Health Checker script supplied by Microsoft. The script generates an HTML report that includes a section dedicated to EEMS check results. Administrators should look for mitigation ID M2.1.x within the report; its presence indicates that the server has successfully applied the necessary URI blocks. Microsoft cautioned that a single misconfigured server can serve as a beachhead for a full domain compromise, underscoring the importance of validating the mitigation across every Exchange server in the environment.
Expert Commentary and Recommendations
Security professionals echoed the urgency of the situation. Jacob Krell, senior director of secure AI solutions and cybersecurity at Suzu Labs, noted that Exchange remains one of the most dangerous places for a remote‑code‑execution flaw because it sits adjacent to identity systems and the communication layer that organizations rely on daily. Krell warned that attackers study mitigation guidance just as defenders do, allowing them to weaponize disclosed vulnerabilities faster than many organizations can validate exposure. Both Krell and Damon Small advised that, beyond enabling EEMS, organizations should consider accelerating a migration to Exchange Online or, at minimum, isolating on‑premises Exchange servers behind a zero‑trust gateway to limit lateral movement if a breach occurs.
Conclusion and Next Steps
The confirmation of CVE‑2026‑42897 as an actively exploited zero‑day serves as a stark reminder of the persistent risk posed by on‑premises Exchange Server deployments. While a permanent patch is pending, the recommended course of action is to immediately enable and verify the Exchange Emergency Mitigation Service, ensuring mitigation ID M2.1.x appears in the Health Checker report. Simultaneously, security teams should review email hygiene, user awareness training, and network segmentation strategies to reduce the likelihood of successful exploitation. For long‑term resilience, evaluating a move to Exchange Online or implementing robust zero‑trust architectures around legacy Exchange infrastructure will help safeguard critical identity and communication assets against similar threats in the future.