Microsoft Warns of Exchange Zero-Day CVE-2026-42897 Exploited in

Executive Summary

Microsoft disclosed on Thursday that a previously unknown Exchange Server vulnerability, tracked as CVE-2026-42897, is being actively exploited in attacks. The flaw is a spoofing vulnerability that allows remote attackers to execute arbitrary JavaScript in the context of Outlook on the Web (OWA) via a cross-site scripting (XSS) attack. Microsoft rates the severity as high but has not yet released a permanent security update. The company is urging administrators to enable the Exchange Emergency Mitigation Service (EEMS) or manually apply mitigations via the Exchange On-Premises Mitigation Tool (EOMT) as an interim measure.

Technical Analysis

CVE-2026-42897 affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) — including fully patched, up-to-date installations. According to Microsoft's Exchange Team, an attacker can exploit the vulnerability by sending a specially crafted email to a target user. If the recipient opens the email in OWA and certain interaction conditions are met (e.g., clicking a link or previewing the message in a specific way), arbitrary JavaScript executes in the browser context of the OWA session.

The vulnerability is classified as a spoofing flaw, but the attack vector is XSS-based code execution. Microsoft has not published a CVSS score as of this writing, but the description — remote, unauthenticated, low-complexity exploitation requiring user interaction — aligns with a base score likely in the 7.0–8.0 range. The company confirmed that the flaw is being exploited in the wild but did not attribute the activity to any specific threat actor or disclose the scope of observed attacks.

Microsoft's primary recommended mitigation is the Exchange Emergency Mitigation Service (EEMS), introduced in September 2021 after the ProxyLogon and ProxyShell waves of attacks. EEMS runs as a Windows service on Exchange Mailbox servers and automatically applies interim mitigations for high-risk, actively exploited vulnerabilities. It is enabled by default on servers with the Mailbox role. For organizations that have disabled EEMS, Microsoft strongly advises re-enabling it immediately.

For administrators in air-gapped or restricted environments, Microsoft released an updated version of the Exchange On-Premises Mitigation Tool (EOMT). The mitigation can be applied via an elevated Exchange Management Shell (EMS) with the following commands:

• Single server: .\.\EOMT.ps1 -CVE "CVE-2026-42897"
• All servers (excluding Edge): Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\.\EOMT.ps1 -CVE "CVE-2026-42897"

Microsoft cautions that applying the mitigation will cause several known functional impacts:

• The OWA Print Calendar feature may stop working. Workarounds include copying calendar data, taking screenshots, or using the Outlook Desktop client.
• Inline images may not display correctly in the recipient's OWA reading pane. Microsoft suggests sending images as email attachments or using the Outlook Desktop client.
• OWA Light (URL ending in /?layout=light) does not function properly. Microsoft notes this feature was deprecated years ago and is not intended for regular production use.

Microsoft plans to release permanent patches for Exchange SE RTM, Exchange 2016 CU23, and Exchange 2019 CU14 and CU15. However, updates for Exchange 2016 and 2019 will only be available to customers enrolled in the Period 2 Exchange Server Extended Security Updates (ESU) program, reflecting the end-of-support status for those products as of October 2025.

Mitigations & Recommendations

Organizations running on-premises Exchange Server should immediately verify that the Exchange Emergency Mitigation Service (EEMS) is enabled on all Mailbox servers. Microsoft states that EEMS will automatically apply the mitigation for CVE-2026-42897 without requiring manual intervention. Administrators can check EEMS status via the Exchange Admin Center or by running Get-ExchangeServer | fl *Emergency* in EMS.

For environments where EEMS is disabled or unavailable (e.g., air-gapped networks), the Exchange On-Premises Mitigation Tool (EOMT) should be downloaded from the Microsoft Download Center and executed with the CVE-specific flag as described above. Microsoft warns that the mitigation is not a substitute for a patch — it blocks the known exploitation path but may not cover all variations.

Defenders should monitor OWA access logs for unusual JavaScript execution patterns, unexpected redirects, or anomalous email interactions from external senders. Given that the attack requires user interaction in OWA, user awareness training about not clicking links or opening suspicious emails in the web client is a sensible short-term control. Organizations that have not yet enrolled in the ESU program for Exchange 2016/2019 should do so to receive the forthcoming permanent fix.