On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited with Crafted Email
Microsoft has disclosed a new security vulnerability affecting versions of Exchange Server that have been widely exploited in the wild.
Vulnerability, tracked as CVE-2026-42897 (CVSS score: 8.1), has been described as a sneaky bug from a cross-site scripting bug. An anonymous researcher is given credit for discovering and reporting the issue.
“Inappropriate modification of input during web page creation (‘cross-site scripting’) in Microsoft Exchange Server allows an unauthorized attacker to commit network crimes,” the tech giant said in an advisory Thursday.
Microsoft, which put the vulnerability in the “Discovered Exploit” test, said that an attacker could use it by sending a crafted email to the user, which, if opened in Outlook Web Access and subject to certain “interaction conditions,” could allow inappropriate JavaScript code to be executed in the context of the web browser.
Redmond also noted that it is offering temporary mitigation through its Exchange Emergency Mitigation Service, while studying a permanent fix for the security feature.
The Exchange Emergency Mitigation Service will provide automatic mitigation with a URL rewrite configuration, and is enabled by default. If it is not enabled, users are advised to enable the Windows service.
According to Microsoft, Exchange Online is not affected by this vulnerability. The following local versions of Exchange Server are affected –
- Exchange Server 2016 (any update level)
- Exchange Server 2019 (any update level)
- Exchange Server Subscription Edition (SE) (any revision level)
If using the Exchange Emergency Mitigation Service is not an option due to air gap restrictions, the company has outlined the following series of actions –
- Download the latest version of the Exchange on-premises Mitigation Tool (EOMT) at aka[.]ms/UnifiedEOMT.
- Apply mitigation on a per-server basis or for all servers at once by running a script through the Exchange Management Shell (EMS):
- Single server: .EOMT.ps1 -CVE “CVE-2026-42897”
- All servers: Get-ExchangeServer | Where-Object {$_.ServerRole -ne “Edge” } | .EOMT.ps1 -CVE “CVE-2026-42897”
Microsoft said it is also aware of a known issue where the downgrade shows “Downgrade is not allowed in this version of Exchange.” in the Description field. “This problem is good and the mitigation is WORKING successfully if the status is shown as ‘Working,'” the Exchange Team said. “We are investigating how we can fix this.”
There are currently no details on how the vulnerability is being exploited, the identity of the threat actor behind the operation, or the extent of such efforts. It is not yet clear who were the targets and whether any of the attacks were successful. In the meantime, it is recommended to use the mitigations recommended by Microsoft.
