Exchange zero-day – Microsoft has shared mitigations for a high-severity Exchange Server flaw, CVE-2026-42897, currently exploited to run arbitrary JavaScript in Outlook on the web.
A high-severity zero-day in Microsoft Exchange Server is already being exploited, and Microsoft is urging administrators to act quickly as the company rolls out emergency mitigations for systems affected by the flaw.
The vulnerability. tracked as CVE-2026-42897. involves cross-site scripting behavior that can allow threat actors to execute arbitrary JavaScript in the browser context.. Microsoft said the attacks target users of Outlook on the web (formerly Outlook Web Access) and that the issue is a spoofing vulnerability affecting Exchange Server 2016. Exchange Server 2019. and the Exchange Server Subscription Edition (SE). provided those products are up to date.
Microsoft has not yet provided patches that permanently fix the underlying problem. Instead, it is directing customers toward immediate protective measures, warning that exploitation can occur when attackers send specially crafted emails.
“An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context,” Microsoft’s Exchange team said.
To reduce risk on-premises, Microsoft is emphasizing its Exchange Emergency Mitigation Service (EEMS), which it said offers automatic mitigation for Exchange Server 2016, 2019, and SE installations. Microsoft added guidance for organizations that may have the service turned off.
“Using EM Service is the best way for your organization to mitigate this vulnerability right away.. If you have EM Service currently disabled, we recommend you enable it right away,” Microsoft said.. It also cautioned that EEMS will not be able to check for new mitigations if a server is running Exchange Server versions older than March 2023.
EEMS was introduced in September 2021 as an automated layer of protection for on-premises Exchange environments.. Microsoft designed it to apply interim mitigations for high-risk vulnerabilities that are likely being actively exploited. following a period when multiple hacking groups used earlier Exchange zero-days such as ProxyLogon and ProxyShell. which initially lacked patches or mitigation information. to breach Internet-facing Exchange servers.
Technically, EEMS runs as a Windows service on Exchange Mailbox servers and is automatically enabled on servers with the Mailbox role.
For administrators operating in air-gapped environments that cannot rely on automatic updates. Microsoft also pointed to an alternative path: the Exchange on-premises Mitigation Tool (EOMT).. The company said administrators can download the latest EOMT version and apply the mitigation by running the script through an elevated Exchange Management Shell (EMS) using one of the commands it provided.
Microsoft stressed, though, that applying the mitigation can create user-facing disruptions.. Among the issues it flagged, OWA Print Calendar functionality might not work.. As workarounds. Microsoft suggested copying the calendar data. taking a screenshot of the calendar a user wants to print. or using the Outlook Desktop client.. It also warned that inline images may not display correctly in the OWA recipients’ reading pane. recommending that users send images as email attachments or use the Outlook Desktop client instead.. Microsoft further noted that OWA light. identified by an Outlook URL ending in /?layout=light. does not work properly. adding that the feature was deprecated years ago and is not intended for regular production use.
Looking ahead, Microsoft said it plans to release patches for Exchange SE RTM, Exchange 2016 CU23, and Exchange Server 2019 CU14 and CU15. But it warned that updates for Exchange 2016 and 2019 would only be available to customers enrolled in the Period 2 Exchange Server ESU program.
Questions about the attacks themselves were raised with Microsoft by BleepingComputer, but a response was not immediately available.
The latest warning arrives months after major support changes for Exchange on-premises systems.. In October, weeks after Exchange 2016 and Exchange 2019 reached the end of support, the U.S.. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) issued guidance to help IT administrators harden Exchange servers against attacks.
Microsoft Exchange zero-day CVE-2026-42897 EEMS Outlook on the web cybersecurity XSS