Microsoft has issued an urgent alert regarding a newly discovered security vulnerability, designated as CVE-2026-42897, that is actively being exploited in the wild. This critical flaw affects on-premise installations of Microsoft Exchange Server, potentially exposing sensitive data and systems to unauthorized access. The vulnerability, classified with a CVSS score of 8.1, stems from a cross-site scripting (XSS) weakness that allows for spoofing attacks.
The tech giant confirmed that an attacker could weaponize this vulnerability by sending a specially crafted email to a user. Upon opening this email within Outlook Web Access and under specific interaction conditions, the attacker could execute arbitrary JavaScript code within the user’s web browser context. Microsoft has tagged this threat with an “Exploitation Detected” assessment, emphasizing the immediate danger posed to affected systems. The vulnerability was discovered and reported by an anonymous researcher.
Microsoft Exchange Server Vulnerability Under Active Exploitation
Described as an “Improper neutralization of input during web page generation (‘cross-site scripting’)” flaw, CVE-2026-42897 presents a significant risk for organizations relying on on-premise Exchange Server deployments. This type of vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, leading to a range of malicious activities, including session hijacking and data theft. The fact that it is already being exploited in the wild underscores the urgency for organizations to address this issue.
Microsoft stated that its Exchange Online service is not impacted by this particular vulnerability. However, the following on-premises versions of Exchange Server are confirmed to be affected: Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE), irrespective of their update levels.
Mitigation and Patching Efforts
In response to the active exploitation, Microsoft is providing a temporary mitigation through its Exchange Emergency Mitigation Service (EEMS). This service is designed to automatically implement a URL rewrite configuration, offering immediate protection. EEMS is enabled by default for most users, but Microsoft advises those who may have disabled it to re-enable the Windows service. The company is also actively working on a permanent fix, which will be released in the form of a security update.
For organizations operating in air-gapped environments where EEMS cannot be applied, Microsoft has outlined a manual mitigation process. This involves downloading the latest version of the Exchange On-Premises Mitigation Tool (EOMT) from the provided Microsoft link. Administrators can then apply the mitigation on a per-server basis or across all servers simultaneously by running the EOMT script via an elevated Exchange Management Shell (EMS).
The script commands for applying the mitigation are as follows: for a single server, `.EOMT.ps1 -CVE “CVE-2026-42897″`; and for all applicable servers, `Get-ExchangeServer | Where-Object { $_.ServerRole -ne “Edge” } | .EOMT.ps1 -CVE “CVE-2026-42897″`. Microsoft acknowledges a known cosmetic issue where the mitigation might show “Mitigation invalid for this exchange version” in the description field, despite being successfully applied. The company is investigating a solution for this display anomaly.
Ongoing Investigation and Future Steps
As of the advisory’s release, details regarding the specific methods of exploitation, the identities of the threat actors involved, or the full scope of the attacks remain limited. It is also unclear which specific targets have been affected or whether any attacks have resulted in successful breaches. Microsoft’s immediate recommendation for all affected users is to implement the provided mitigations without delay.
The current focus is on ensuring that organizations can protect themselves from ongoing attacks while awaiting the forthcoming security patch. The situation underscores the persistent threat landscape for email server infrastructure and the importance of maintaining up-to-date security measures and promptly applying vendor-provided patches and mitigations to safeguard against emerging cyber threats.