Microsoft disclosed a high-severity vulnerability in Exchange Server on Wednesday and confirmed that attackers are already exploiting it. There is no patch. The company has shipped an emergency mitigation that ships on by default, and that mitigation, by Microsoft’s own admission, breaks two features many office workers use every day: printing calendars and rendering inline images. For the next several weeks, every organization still running Exchange on its own hardware has to choose between a known exploitation risk and a daily papercut to its users.
The flaw is tracked as CVE-2026-42897 and carries a CVSS score of 8.1. Microsoft describes it as an improper neutralization of input during web page generation, a cross-site scripting bug, in Exchange Server’s Outlook Web Access component. An attacker sends a specially crafted email; when an Exchange user opens it through OWA and meets certain interaction conditions, JavaScript supplied by the attacker runs inside the user’s browser session.
On the surface, that sounds like a routine XSS bug. It is not, and the reason is structural. Exchange is the email backbone of a large portion of corporate and government IT, and the on-premises versions of Exchange have historically held privileged positions inside their owners’ Active Directory environments. An attacker who can execute JavaScript as a logged-in OWA user, particularly one with elevated mail permissions, can steal session tokens, read or send mail as that user, and use a foothold to pivot further into the network. The 2021 ProxyLogon and ProxyShell campaigns, both rooted in Exchange flaws, ran a similar playbook to devastating effect.
Who is affected, and who is not
CVE-2026-42897 affects all currently supported on-premises versions: Exchange Server 2016, Exchange Server 2019, and the new Exchange Server Subscription Edition. Microsoft’s advisory states that Exchange Online (the cloud-hosted version sold through Microsoft 365) is not affected. That distinction matters because Microsoft ended mainstream support for Exchange Server 2019 in October, and Extended Security Updates for both 2016 and 2019 run out on April 14 of next year, leaving Subscription Edition as the only on-premises version with a future. Many of the organizations still running 2016 and 2019 are running them because migration to the cloud is expensive, complicated, or politically constrained.
Shodan currently returns roughly 154,000 internet-exposed Exchange instances and 73,000 OWA endpoints. Those figures should be read as an order-of-magnitude estimate of attack surface, not a precise count of vulnerable boxes. The real population is almost certainly larger than the exposed surface, because many Exchange servers sit behind reverse proxies that Shodan’s scanners do not fingerprint cleanly.
The mitigation, and what it costs
Microsoft’s advisory tells administrators that the side effects include calendar printing issues and inline image display problems. That is the trade-off they are being asked to accept until a patch ships. — Microsoft Exchange Team advisory, May 14, 2026
Because there is no patch, Microsoft is leaning on the Exchange Emergency Mitigation Service, a defensive component it built into Exchange after the ProxyLogon disaster. The service automatically downloads and applies hardening rules from Microsoft when a new threat appears. For CVE-2026-42897, the EM Service ships with the mitigation enabled by default; administrators who have not deliberately turned the service off are already covered. For air-gapped or disconnected environments, Microsoft has updated the Exchange On-premises Mitigation Tool, a PowerShell script, to apply the same hardening manually.
Neither path is free. Microsoft’s own guidance lists the side effects: certain calendar print jobs in OWA may fail, and some inline images embedded in messages may not render. Those are not catastrophic regressions, but they are the kind of daily friction that generates help-desk tickets and, in some organizations, pressure to roll the mitigation back. Administrators who do so on the theory that "no public exploitation yet" should re-read the advisory. Microsoft has tagged the entry "Exploitation Detected," and independent reporting from Bleeping Computer and Security Affairs has confirmed active in-the-wild attacks.
What we do not know
The advisory credits an anonymous reporter under Microsoft’s coordinated vulnerability disclosure program, and Microsoft has not named the threat actors exploiting the bug. There is no public information on victim count, sector targeting, or the post-exploitation tooling being used. Patches are planned for Exchange SE RTM, Exchange 2016 CU23, and Exchange 2019 CU14 and CU15, but only for customers enrolled in the Period 2 Exchange Server Extended Security Updates program, and Microsoft has not committed to a public release date.
The "certain interaction conditions" phrasing in Microsoft’s description also leaves daylight. A vulnerability that requires a victim to click is not the same as one that triggers on preview; the difference matters for how aggressively attackers can spray-and-pray. Microsoft has not published the specific interaction needed, presumably to slow exploit development. Researchers who replicate the flaw will, eventually, fill in that detail.
For now, the practical guidance for any organization running on-premises Exchange is narrow: verify that the Exchange Emergency Mitigation Service is running, confirm the May 14 mitigation has applied, and accept the calendar-printing friction until Microsoft ships a real fix. Disabling EM Service to recover those features, while a patch is outstanding and exploitation is confirmed, is the kind of decision that ends up in an incident-response report.
It is also worth saying what this story is not. It is not yet a ProxyLogon-class event. There is no public evidence of mass compromise, no named ransomware crew taking credit, no CISA emergency directive at the time of writing. What there is, instead, is a confirmed, actively exploited zero-day in a piece of software that sits at the center of how a lot of organizations communicate — and a fix that has not arrived. That is enough to take seriously, without escalating it past what the evidence supports.