Microsoft Exchange Server zero-day CVE-2026-42897 is being actively exploited through crafted emails
Microsoft has confirmed that attackers are actively exploiting CVE-2026-42897, a zero-day vulnerability affecting on-premises Microsoft Exchange Server environments. The flaw can allow malicious JavaScript to run in a victim’s browser after they open a specially crafted email in Outlook Web Access.
There is currently no permanent security patch for the vulnerability. Microsoft released an emergency mitigation on May 14 to help reduce exposure, while the U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-42897 to its Known Exploited Vulnerabilities catalog on May 15. Federal civilian agencies have been ordered to address the issue by May 29.
Exchange Online is not affected.
CVE-2026-42897 targets Outlook Web Access in on-premises Exchange Server
CVE-2026-42897 is a cross-site scripting vulnerability in the Outlook Web Access component of Microsoft Exchange Server. The issue has been assigned a CVSS severity score of 8.1, placing it in the high-risk category.
The attack begins with an email. A threat actor sends a carefully crafted message to the target’s inbox. If the recipient opens that message in Outlook Web Access under specific interaction conditions, malicious JavaScript can execute within the user’s browser session.
Microsoft describes the vulnerability as a spoofing issue caused by improper handling of input during web page generation. What makes the flaw especially concerning is that attackers do not need to authenticate to the Exchange server or gain prior server access. The exploit path starts directly with a message delivered to the victim.
Affected Microsoft Exchange Server versions
The vulnerability affects on-premises deployments of:
Microsoft Exchange Server 2016
Microsoft Exchange Server 2019
Microsoft Exchange Server Subscription Edition
The issue applies across all update levels of these affected versions.
Organizations using Exchange Online are not vulnerable to CVE-2026-42897. However, companies and government agencies that continue to rely on on-premises Exchange infrastructure should treat the flaw as urgent, especially because active exploitation has already been confirmed.
On-premises Exchange Server remains widely used in enterprise, public sector, financial, healthcare, and regulated environments. Because email servers are high-value targets, Exchange vulnerabilities have frequently been abused in past cyberattacks, including ransomware campaigns and espionage operations.
Microsoft emergency mitigation now available
Microsoft has deployed a temporary fix through the Exchange Emergency Mitigation Service. The mitigation is identified as M2.1.x and is applied through URL rewrite rules on Exchange Mailbox servers where the mitigation service is enabled.
For many organizations, the protection should be applied automatically. Administrators should still verify that the mitigation has been successfully installed across all Exchange servers, especially in larger or hybrid environments where configurations may vary.
For disconnected, air-gapped, or restricted environments that cannot automatically communicate with Microsoft services, administrators must manually apply the mitigation using the latest Exchange On-premises Mitigation Tool. This must be run from an elevated Exchange Management Shell and can be applied to individual servers or across the full Exchange server fleet.
Microsoft has also warned about a cosmetic reporting issue. Some servers may display the description “Mitigation invalid for this exchange version.” According to Microsoft, the mitigation is still correctly applied if the status column shows “Applied.” The incorrect description is a known display bug and is being investigated.
Known side effects after applying the mitigation
The emergency mitigation helps reduce the risk from CVE-2026-42897, but it can affect some Outlook Web Access features.
After the mitigation is applied, the OWA Print Calendar feature will stop working. Inline images may also fail to display correctly in recipients’ reading panes inside Outlook Web Access.
Another affected feature is OWA Light, the older legacy interface accessed through a light-layout URL. Once the mitigation is in place, OWA Light will no longer function. Microsoft deprecated this interface years ago, but some organizations may still have users relying on it. Those users should be moved to the standard Outlook Web Access interface instead.
No permanent patch has been released yet
Microsoft is still working on a permanent fix for CVE-2026-42897 and has not provided a confirmed release date.
When the final patch becomes available, Exchange Server Subscription Edition will receive it through the normal update process. Exchange Server 2016 and Exchange Server 2019 will only receive the permanent fix through Microsoft’s Period 2 Extended Security Update program.
That detail is important for organizations still running older Exchange versions. Systems not enrolled in the required extended update program may remain at risk unless the emergency mitigation is applied and maintained correctly.
Why organizations should act immediately
CVE-2026-42897 is not a theoretical risk. Microsoft has confirmed real-world exploitation, and CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog. That means attackers are already using it, and exposed Exchange servers should be treated as a priority.
Administrators should confirm whether their organization runs affected on-premises Exchange Server versions, verify that the emergency mitigation has been applied, check for any signs of suspicious activity, and prepare for the permanent patch once Microsoft releases it.
Microsoft has not publicly named the threat actors exploiting CVE-2026-42897 or identified the organizations targeted so far. Until a full patch is available, the emergency mitigation remains the most important defense for affected on-premises Exchange environments.
