Microsoft warns of Exchange zero-day flaw exploited in attacks

On Thursday, Microsoft shared mitigations for a high-severity Exchange Server vulnerability exploited in attacks that allow threat actors to execute arbitrary code via cross-site scripting (XSS) while targeting Outlook on the web users.

Microsoft describes this security flaw (CVE-2026-42897) as a spoofing vulnerability affecting up-to-date Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) software.

While patches aren't yet available to permanently fix the vulnerability, the company added that the Exchange Emergency Mitigation Service (EEMS) will provide automatic mitigation for Exchange Server 2016, 2019, and SE on-premises servers.

"An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context," the Exchange Team said.

"Using EM Service is the best way for your organization to mitigate this vulnerability right away. If you have EM Service currently disabled, we recommend you enable it right away. Please note that EM Service will not be able to check for new mitigations if your server is running Exchange Server version older than March 2023."

EEMS was introduced in September 2021 to provide automated protection for on-premises Exchange servers, securing them against ongoing attacks by applying interim mitigations for high-risk (and likely actively exploited) vulnerabilities.

EEMS runs as a Windows service on Exchange Mailbox servers and is automatically enabled on servers with the Mailbox role. The security feature was added after many hacking groups exploited ProxyLogon and ProxyShell zero-days (which lacked patches or mitigation information) to breach Internet-exposed Exchange servers.

Admins with servers in air-gapped environments can also mitigate the flaw by downloading the latest Exchange on-premises Mitigation Tool (EOMT) version and applying the mitigation by running the script via an elevated Exchange Management Shell (EMS) with one of the following commands:

• Single server: .\EOMT.ps1 -CVE "CVE-2026-42897"

• All servers: Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"

However, it’s important to note that applying the mitigation measures on vulnerable servers will cause issues, including:

• OWA Print Calendar functionality might not work. As a workaround, Microsoft suggested copying the data, taking a screenshot of the calendar you want to print, or using the Outlook Desktop client.
• Inline images might not display correctly in the recipients' OWA reading pane. As a workaround, users are advised to send images as email attachments or use the Outlook Desktop client.
• OWA light (OWA URL ending in /?layout=light) does not work properly (this feature was deprecated several years ago and is not intended for regular production use).

Microsoft plans to release patches for Exchange SE RTM, Exchange 2016 CU23, and Exchange Server 2019 CU14 and CU15, but says that updates for Exchange 2016 and 2019 will only be available to customers enrolled in the Period 2 Exchange Server ESU program.

BleepingComputer also reached out to Microsoft with questions about the attacks, but a response was not immediately available.

In October, weeks after Exchange 2016 and 2019 reached the end of support, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) released guidance to help IT admins harden Microsoft Exchange servers against attacks.

Over the last 5 years, CISA has added 19 Microsoft Exchange Server vulnerabilities to its list of actively exploited security flaws, 14 of which were also abused in ransomware attacks.