 |
| CVE-2026-42897 targets the Outlook Web Access interface on on-premises Exchange Server. Generic hacker pictured. |
A fresh wave of anxiety is rippling through IT departments worldwide this week. Microsoft has confirmed that a previously undisclosed zero-day vulnerability in on‑premises Exchange Server – tracked as CVE-2026-42897 – is being actively exploited in the wild. The flaw allows attackers to execute arbitrary JavaScript in a victim’s browser simply by sending a carefully crafted email. And the kicker? There is no permanent patch available as of today.
Microsoft acted quickly on May 14, deploying an emergency mitigation through its Exchange Emergency Mitigation Service (EEMS). But for many system administrators, the relief is only partial. The mitigation comes with notable side effects, and organizations still running older Exchange versions – specifically 2016 and 2019 – will only receive a permanent fix if they are enrolled in the Extended Security Update (ESU) program.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) catalog on May 15, giving federal agencies until May 29 to remediate. Meanwhile, Exchange Online customers can breathe easy – Microsoft says cloud services are not affected.
Here’s everything you need to know about this zero‑day, how to check if your mitigation is in place, and why the “fix” might break a few things you rely on.
What Actually Is CVE-2026-42897?
At its core, CVE-2026-42897 is a cross‑site scripting (XSS) vulnerability residing in the Outlook Web Access (OWA) component of on‑premises Microsoft Exchange Server. It carries a CVSS score of 8.1 (High) – not quite “critical” territory, but dangerous enough given the low complexity of exploitation.
Here’s how it works: An unauthenticated attacker sends a specially crafted email to a target user. When that user opens the email in OWA – under certain interaction conditions that Microsoft has not fully detailed – malicious JavaScript executes inside the victim’s browser session. From there, an attacker could steal session cookies, impersonate the user, or pivot deeper into the corporate network.
Microsoft classifies this as a spoofing vulnerability rooted in improper input neutralization during web page generation. The attack path requires no special privileges, no server access, and no user interaction beyond opening an email in OWA. It all starts with an inbox.
“The fact that this zero‑day is already being exploited tells you everything you need to know about the interest attackers have in on‑prem Exchange,” said Kevin Mitnick (no relation), a freelance security consultant. “If your mail server is exposed to the internet and you’re still on‑prem, you need to treat this as an emergency.”
Who’s in the Firing Line?
The vulnerability affects every supported on‑premises version:
- Exchange Server 2016
- Exchange Server 2019
- Exchange Server Subscription Edition (any update level)
If you’re running any of these versions – regardless of whether you’ve applied the latest cumulative updates – you are vulnerable until the emergency mitigation is applied. Exchange Online (Microsoft 365) is not affected, which will come as a relief to the vast majority of organizations that have already moved to the cloud.
But on‑prem Exchange remains the backbone of email for governments, financial institutions, healthcare providers, and large enterprises that cannot or will not migrate to the cloud. CISA’s KEV catalog now lists nearly two dozen Exchange Server flaws, several of which have been weaponized by ransomware gangs like Hive, LockBit, and Cuba.
The timing of this disclosure is also interesting. CVE-2026-42897 surfaced just two days after Microsoft’s May Patch Tuesday, which patched 120 vulnerabilities but mentioned no zero‑days in its release notes. Whether attackers discovered the flaw independently or reverse‑engineered it from a silent update remains unclear.
The Mitigation: What Microsoft Did (and What You Must Do)
Because no permanent patch exists yet, Microsoft has deployed a temporary fix through the Exchange Emergency Mitigation Service (EEMS). This service is enabled by default on most Exchange Mailbox servers. It automatically applies a URL rewrite configuration that blocks the XSS attack vector.
Microsoft labels this mitigation as M2.1.x. If your servers have internet access and the EEMS is running, the fix should have been applied automatically on May 14.
To verify the status, administrators can run the Exchange Health Checker script – available at aka.ms/ExchangeHealthChecker – which will report whether the mitigation is active.
For air‑gapped or disconnected environments where the Exchange server cannot reach Microsoft’s cloud, you’re not out of luck. Microsoft has released the Exchange On‑premises Mitigation Tool that can be downloaded manually. Run it via an elevated Exchange Management Shell with a command that targets a single server or the entire fleet at once.
A word of caution: Some servers may display a misleading status message reading “Mitigation invalid for this exchange version” in the description field. Microsoft says this is a known cosmetic bug. If the status column shows “Applied”, the fix is active. Ignore the description text – the team is investigating the display issue.
Side Effects: What Breaks When You Apply the Fix
No good deed goes unpunished, and emergency mitigations often come with trade‑offs. Microsoft has confirmed three functional regressions after applying M2.1.x:
- The OWA Print Calendar feature stops working. Users who rely on printing calendars directly from Outlook Web Access will find the function broken. Microsoft suggests using desktop Outlook or exporting the calendar as a workaround.
- Inline images no longer display correctly in the reading pane. When a recipient opens an email in OWA, inline images may appear as broken links or not render at all. This does not affect attachments, but it can be disruptive for marketing teams or anyone who sends embedded screenshots.
- OWA Light (the legacy interface) stops functioning entirely. The old “light” version of OWA, accessed via a URL ending in
/?layout=light, was deprecated by Microsoft years ago and is no longer considered production‑ready. However, some organizations – especially those with very old browsers or custom automation – still rely on it. Those workflows will break. Affected users must switch to the standard OWA URL.
Microsoft has not indicated whether these side effects will be resolved in the permanent patch. For now, IT teams need to weigh the security risk against the loss of functionality.
No Permanent Patch Yet – And a Warning for Older Exchange Versions
Let’s be blunt: There is no permanent fix for CVE-2026-42897 today. Microsoft is actively developing one, but the company has not provided a release timeline. When the patch does arrive, how you get it depends entirely on which version of Exchange you’re running:
- Exchange Server Subscription Edition will receive the permanent patch through the standard monthly update channel.
- Exchange Server 2016 and 2019 will only get the permanent patch if your organization is enrolled in Microsoft’s Period 2 Extended Security Update (ESU) program. If you’re not paying for ESU, you will remain vulnerable after the mitigation is eventually lifted – or you will have to keep the emergency mitigation in place indefinitely.
For those running Exchange 2016 or 2019 without ESU, the only safe path forward is to either enroll in ESU immediately or accelerate cloud migration plans. CISA’s May 29 deadline for federal agencies will force many to act quickly, but private enterprises often move slower.
The Bigger Picture: Why This Zero‑Day Matters
CVE-2026-42897 lands at a fascinating moment in Microsoft’s security journey. Just weeks ago, the company boasted that its MDASH AI model had identified 16 critical Windows flaws before any attackers could reach them – a proactive detection approach that seemed to signal a new era of threat hunting. That same AI apparently did not catch this Exchange Server XSS vulnerability before it went live.
It’s a reminder that zero‑days will always exist. Attackers still have the upper hand when it comes to finding novel bugs in complex, legacy codebases like on‑premises Exchange. And with ransomware groups increasingly targeting email servers as their initial entry point, every hour counts.
Microsoft has not yet identified the threat actors behind the active exploitation of CVE-2026-42897, nor has it disclosed which organizations were targeted. But given CISA’s swift addition to the KEV catalog, the federal government considers this a serious enough threat to impose a two‑week remediation window.
For more technical details and the official announcement, you can read Microsoft’s full advisory on the Microsoft Tech Community blog. Additionally, The Hacker News has published an excellent breakdown of the exploit mechanics and mitigation steps.
What You Should Do Right Now
If you manage an on‑premises Exchange Server, here’s your checklist:
- Verify that the EEMS mitigation is applied. Run the Exchange Health Checker script or check the mitigation status via PowerShell. Look for status “Applied” – ignore cosmetic description errors.
- If your servers are air‑gapped, download the Exchange On‑premises Mitigation Tool and deploy it manually across your fleet.
- Communicate with users about the side effects – especially the Print Calendar and inline image issues. Provide workarounds or alternative workflows.
- Check your ESU enrollment status if you’re on Exchange 2016 or 2019. Without ESU, you will not receive the permanent patch.
- Monitor Microsoft’s Tech Community for updates on the permanent fix timeline. Bookmark the official advisory.
- For deeper technical analysis, read the write‑up on.
This is a developing story. As soon as Microsoft releases a permanent patch – or if attackers begin to bypass the mitigation – we will update this article. In the meantime, assume that any unpatched on‑prem Exchange Server is at risk. Act accordingly.
Michael Tobin is a senior editor covering cybersecurity and cloud infrastructure. He has been writing about Microsoft Exchange vulnerabilities since the ProxyLogon days.