A Microsoft Exchange zero-day flaw is now under active exploitation, with attackers sending specially crafted emails to compromise on-premises Exchange servers. The vulnerability, tracked as CVE-2026-42897, affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE), but does not impact Exchange Online. Microsoft confirmed the flaw is a spoofing vulnerability with cross-site scripting (XSS) behavior in Outlook on the web (OWA), and the company is urging administrators to enable its emergency mitigation service immediately.
Key Takeaways
- CVE-2026-42897 is a spoofing vulnerability with XSS behavior affecting on-premises Exchange Server 2016, 2019, and SE.
- Attackers exploit the flaw by sending malicious emails; opening them in OWA can execute arbitrary JavaScript in the browser.
- Exchange Online is unaffected; the risk is limited to on-premises deployments.
- No permanent patch was available at the time of disclosure; Microsoft recommends enabling Exchange Emergency Mitigation Service (EEMS) immediately.
- CISA has tracked 19 Microsoft Exchange Server vulnerabilities as actively exploited over five years, with 14 used in ransomware attacks.
Why the Microsoft Exchange Zero-Day Flaw Matters Right Now
The active exploitation of this Microsoft Exchange zero-day flaw is urgent because on-premises Exchange servers are often internet-facing and central to corporate email infrastructure. Unlike cloud-based Exchange Online, which Microsoft manages and patches automatically, organizations running on-premises versions are responsible for their own security posture. A successful exploit allows attackers to execute JavaScript within a user’s browser session, potentially leading to credential theft, email spoofing, or lateral movement into the corporate network. This attack surface has been repeatedly targeted—CISA has added 19 Microsoft Exchange Server vulnerabilities to its actively exploited list over the past five years, with 14 of those also used in ransomware campaigns.
What You Need to Do: Immediate Mitigation Steps
Microsoft recommends using Exchange Emergency Mitigation Service (EEMS) as the best immediate protection. EEMS is an automated service introduced in September 2021 that applies interim mitigations for high-risk vulnerabilities on on-premises Exchange servers while permanent patches are being developed. If your organization has EEMS currently disabled, Microsoft explicitly recommends enabling it right away. The service will automatically apply protections to Exchange Server 2016, 2019, and SE without requiring manual intervention. However, administrators should note that EEMS cannot check for new mitigations if the server is running an Exchange version older than March 2023, so older deployments may need additional hardening measures.
How the Microsoft Exchange Zero-Day Flaw Compares to Past Attacks
This incident fits a troubling pattern. Exchange has been the target of multiple mass-exploitation waves, most ProxyLogon and ProxyShell, which compromised thousands of organizations worldwide. Those campaigns demonstrated that on-premises Exchange servers, when exposed to the internet, are high-value targets for state-sponsored and criminal actors alike. The difference this time is speed: Microsoft confirmed active exploitation before releasing a permanent fix, leaving organizations in a vulnerable window where only mitigation is available. Exchange Online remains unaffected because Microsoft controls the infrastructure and patches are deployed automatically across all cloud tenants, highlighting a key architectural advantage of cloud-based email over on-premises deployments.
Is Your Organization at Risk?
If your organization runs Exchange Server 2016, 2019, or Subscription Edition on-premises, you are potentially at risk. The vulnerability requires an attacker to send a specially crafted email and the user to open it in OWA with certain interaction conditions met, but given the volume of email traffic in any organization, the probability of exploitation is real. Organizations using only Exchange Online are not affected. The best immediate action is to verify that EEMS is enabled on all on-premises Exchange servers and monitor Microsoft’s security advisories for permanent patch availability.
Will Microsoft Release a Permanent Patch?
Yes, Microsoft will release a permanent patch, but the timeline was not specified at the time this vulnerability was disclosed. The company’s recommendation to use EEMS is explicitly a temporary measure while the permanent fix is being developed. Organizations should check Microsoft’s official security updates regularly and apply patches as soon as they become available.
How Does This Vulnerability Spread?
The Microsoft Exchange zero-day flaw spreads through email. An attacker sends a specially crafted email to a target user. If that user opens the email in Outlook Web Access and performs certain interactions with the message, the attacker’s JavaScript code executes in the browser context. This does not require the user to click a link or download a file—opening the email in OWA is sufficient under the right conditions, making it a relatively low-friction attack vector.
The urgency here is real: a flaw in your email system is a flaw in your most sensitive communications infrastructure. Enable EEMS now, monitor for patches, and ensure your on-premises Exchange servers are not unnecessarily exposed to the internet. The history of Exchange exploitation shows that delays in mitigation can be costly.
Edited by the All Things Geek team.
Source: Tom's Guide
