Security & Infrastructure Tools
Microsoft warns of Exchange zero-day flaw exploited in attacks
Microsoft warns of a high-severity Exchange Server zero-day (CVE-2026-42897) exploited via cross-site scripting to run arbitrary code in Outlook on the Web. The flaw affects Exchange 2016, Exchange 2019, and Exchange SE, with no permanent patch available yet. For immediate protection, Microsoft recommends enabling Exchange Emergency Mitigation Service (EEMS); an on-premises mitigation via EEMS is automatic on eligible servers, and the Exchange On-Premises Mitigation Tool (EOMT) remains an option for air-gapped environments. Patches are planned for Exchange SE RTM, Exchange 2016 CU23, and Exchange 2019 CU14/CU15, though updates for 2016/2019 may be limited to customers in the Period 2 ESU program. CISA and NSA have previously issued guidance to harden Exchange servers against such exploits.
Microsoft Warns of Exchange Zero-Day Flaw Exploited in Attacks
OverviewMicrosoft has disclosed a high-severity vulnerability in on-premises Exchange Server software that threat actors are actively exploiting. The flaw, tracked as CVE-2026-42897, manifests as a spoofing vulnerability that can enable arbitrary code execution through cross-site scripting when Outlook on the Web is used. The affected products include Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE). While official patches are not yet available to permanently fix the issue, Microsoft has rolled out mitigations via the Exchange Emergency Mitigation Service (EEMS) to provide automatic protection for on‑premises deployments.
What the vulnerability allows
- Attack vector: An adversary can exploit the flaw by delivering a specially crafted email to a targeted user. If the recipient opens the message in Outlook Web Access and certain interaction conditions are satisfied, malicious JavaScript can execute within the browser session.
- Impact: The exploit can lead to arbitrary code execution on the affected Exchange server or within the user’s browser context, potentially enabling further access or data exposure.
Key mitigations and guidance
- Immediate protection: Enabling the Exchange Emergency Mitigation Service (EEMS) is the recommended first response. EEMS applies interim mitigations automatically, helping to shield Exchange servers from ongoing exploitation while permanent patches are developed.
- Version caveat: EEMS will not check for new mitigations on servers running Exchange Server versions older than March 2023. Administrators should ensure their environment meets the minimum supported baseline for EEMS protections.
- How to enable EEMS: If EEMS is currently disabled, administrators are advised to turn it on promptly to gain immediate protection against the vulnerability.
- On-premises environments with older, air-gapped setups: For isolated deployments, Microsoft provides the Exchange On-Premises Mitigation Tool (EOMT). This tool can be used to apply the mitigation offline by running a script with the appropriate CVE parameter:
- Single server: .EOMT.ps1 -CVE CVE-2026-42897
- All applicable servers: Get-ExchangeServer | Where-Object { $_.ServerRole -ne Edge } | .EOMT.ps1 -CVE CVE-2026-42897
Planned patches and update strategy
- Patch timeline: Microsoft plans to release official patches for Exchange Subscription Edition (SE) RTM, Exchange 2016 CU23, and Exchange 2019 CU14 and CU15. However, updates for Exchange 2016 and Exchange 2019 are said to be available only to customers enrolled in the Period 2 Exchange Server ESU program.
- ESU considerations: The ESU program is a continuing support mechanism that provides security updates beyond the standard support window for certain on‑premises deployments. Organizations using older or out‑of‑support branches should review ESU eligibility and timing to maintain protection.
Context and historical notes
- Background: The emergence of this vulnerability follows a period in which several Exchange-related zero-days have been exploited in the wild, including past instances like ProxyLogon and ProxyShell. These incidents spurred rapid response and the introduction of automated mitigations to reduce exposure while patches were being developed.
- Government guidance: In the wake of renewed Exchange activity, national cybersecurity bodies issued guidance to help IT teams harden Exchange servers. This guidance complements vendor mitigations by outlining additional hardening steps and best practices for on‑premises deployments.
Operational considerations for admins
- Monitoring and detection: While EEMS provides proactive protection, administrators should maintain layered defenses, including network segmentation, strict access controls, and enhanced monitoring of Exchange traffic and OWA activity. Any anomalous sign‑ups, unusual authentication patterns, or unexpected script activity should be investigated promptly.
- Deployment planning: Plan patch deployment in coordination with the ESU program and internal change control processes. Test patches in a controlled lab environment when possible, and ensure that antivirus and endpoint protection are compatible with the forthcoming updates.
- Air-gapped environments: For networks that cannot reach Microsoft update services, use EOMT to apply CVE-2026-42897 mitigations locally. Keep an eye on the official patch schedule and be prepared to transition to permanent fixes as soon as they are released and validated.
Validation and risk assessment themes
- The broader security landscape emphasizes validating not just whether an attacker can traverse a network, but whether controls effectively block threats and trigger detection rules. A companion resource discusses the six surfaces that organizations should validate to strengthen resilience beyond automated pentesting results.
- Readers are encouraged to consult related materials and official guidance to map these validation steps to their own security controls and incident response procedures.
Historical snapshots and related developments
- End-of-support context: The period around Exchange 2016 and 2019 reached their end-of-support milestones, which historically coincides with elevated risk and a push for tighter hardening and extended support options through programs like ESU.
- Ongoing awareness: The security community continues to track Exchange‑related vulnerabilities, emphasizing timely mitigations, patch cadences, and best practices for safeguarding on‑premises mail infrastructures.
Related reading themes (without direct recommendations)
- Observations on recent Windows vulnerabilities and zero-days in active exploitation
- Patch Tuesday updates and how they address Exchange-related flaws
- Industry responses from agencies and security researchers on securing enterprise mail systems
- The role of automated mitigation services in reducing exposure during vulnerability windows
Note: The content above reorganizes and paraphrases the information from a security brief about the CVE-2026-42897 vulnerability in Microsoft Exchange. It focuses on explaining what the vulnerability is, who it affects, how to mitigate it in both connected and air‑gapped environments, the anticipated patch strategy, and the broader context surrounding Exchange security. Related articles and deeper dives exist for readers seeking additional background on the topic.
