Microsoft has confirmed a new zero-day vulnerability that is being actively exploited on the Exchange Server side. A permanent patch has not yet been released for the vulnerability tracked by the code CVE-2026-42897. The company recommends that temporary mitigation measures be implemented immediately for affected systems. Summary in 10 Seconds A new zero-day vulnerability coded CVE-2026-42897 has been detected in Microsoft Exchange Server.
The vulnerability can be triggered by specially crafted e-mails via Outlook Web Access / Outlook on the web. The permanent patch has not been released yet; Microsoft urges administrators to implement EEMS and temporary mitigation steps. Exchange Server vulnerability is used in active attacks. A new and critical security warning has been issued for institutions using Microsoft Exchange Server. Microsoft confirmed that the vulnerability coded CVE-2026-42897 is actively used by attackers.
The vulnerability particularly affects Exchange Server 2016, Exchange Server 2019 and Exchange Server Subscription Edition versions used by institutions in their in-house e-mail infrastructures. The vulnerability is classified as a spoofing vulnerability by Microsoft. Technically, the problem is based on a cross-site scripting, or XSS, vulnerability caused by not cleaning the input sufficiently when creating the web page.
This situation can be exploited by the attacker sending a specially crafted e-mail to the target user. The Exchange Server vulnerability is triggered via OWA. The most striking aspect of CVE-2026-42897 is that the attack works through the Outlook Web Access / Outlook on the web component of Exchange. According to Microsoft’s statement, the attacker sends a specially prepared e-mail to the target user. When the user opens this e-mail on OWA and certain interaction conditions occur, the JavaScript code prepared by the attacker can be executed within the user’s browser session.
Although this scenario does not directly mean a complete takeover of the server, it poses a serious risk for corporate e-mail environments. Because the attacker can display fake content in the context of the user’s web client, manipulate session behavior, or make social engineering attacks more convincing. The permanent patch has not been released yet. Microsoft had closed 137 vulnerabilities with the May 2026 Patch Tuesday updates.
However, this Exchange Server vulnerability was announced to the public approximately 48 hours after the update package in question. The company is currently working on a permanent patch. Until this process is completed, system administrators need to activate temporary mitigation measures. Microsoft especially recommends customers to enable the Exchange Emergency Mitigation Service (EEMS) feature. EEMS stands out as the mechanism that enables Microsoft to send temporary protection rules against urgent Exchange threats.
In environments with air gaps or limited internet access, mitigation for the relevant CVE can be applied via the Exchange On-premises Mitigation Tool. CISA added it to the list. In the initial news, it was stated that CVE-2026-42897 had not yet been added to CISA’s Known Exploited Vulnerabilities catalog. However, according to current records, the vulnerability was cataloged on May 15, 2026, and the deadline for fixing it for federal institutions was determined as May 29, 2026.
This development further clarifies that the vulnerability is not only a theoretical risk and is used in real attacks. Exchange Server has been among the Microsoft products most targeted by attackers in the past. For this reason, institutions, especially those with OWA systems open to the internet, need to check without delay. What should system administrators do? Institutions that manage Exchange Server must first identify the affected versions, check the EEMS status, and apply the temporary mitigation steps published by Microsoft.
Since the risk is higher in structures with OWA access open to the internet, access policies, log records and unusual e-mail behaviors should also be examined. When a permanent patch is released, temporary mitigation steps should not be satisfied and the official security update should be applied quickly. Since attack details have not yet been publicly shared, it is important for organizations not to rely solely on signature-based detection and to also engage the behavioral analysis side.
Editor’s note Exchange Server is still at the center of many organizations’ critical email infrastructure. That’s why even vulnerabilities that seem to “only work through OWA” can have serious consequences in practice. Temporary measures by EEMS and Microsoft should not be neglected until the permanent patch arrives. Do you think organizations should still use on-premises Exchange Server, or has switching to cloud-based email infrastructures become mandatory for security purposes?
You can share your opinions in the comments.
Comments
You can write your views about this story. Comments may be moderated according to site settings.