Microsoft Exchange Server zero-day exploited via crafted email

Microsoft confirmed active exploitation of CVE-2026-42897, a zero-day in on-premises Exchange Server that lets attackers execute arbitrary JavaScript in a victim's browser by sending a crafted email. No permanent patch exists. Microsoft deployed an emergency mitigation on May 14, and CISA added the flaw to its Known Exploited Vulnerabilities catalog the following day, requiring federal agencies to remediate by May 29. Exchange Online is not affected.

What CVE-2026-42897 does

CVE-2026-42897 is a cross-site scripting flaw in the Outlook Web Access component of on-premises Microsoft Exchange Server, rated CVSS 8.1. An attacker sends a specially crafted email to a target. When the recipient opens it in OWA under certain interaction conditions, arbitrary JavaScript executes inside the browser session.

Microsoft classifies the vulnerability as a spoofing issue rooted in improper input neutralization during web page generation. The attack path does not require authentication or server access. It starts with an inbox.

Who is affected

The flaw hits on-premises Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition at any update level. Exchange Online is not vulnerable.

On-prem Exchange sits at the center of corporate email for governments, financial institutions, and enterprises that have not moved to the cloud. CISA's Known Exploited Vulnerabilities catalog lists nearly two dozen Exchange Server flaws already, and ransomware groups have abused several of them to breach targets. CVE-2026-42897 arrived just two days after May's Patch Tuesday, which patched 120 vulnerabilities but disclosed no zero-days in its release notes.

Mitigating the flaw

Microsoft deployed a temporary fix through its Exchange Emergency Mitigation Service, labeled M2.1.x. The EEMS applies the mitigation automatically via URL rewrite configuration on Exchange Mailbox servers where the service is enabled by default. Administrators can verify status using the Exchange Health Checker script at aka.ms/ExchangeHealthChecker.

For air-gapped or disconnected environments where EEMS cannot reach Microsoft's servers, admins must manually download the latest Exchange On-premises Mitigation Tool and run it via an elevated Exchange Management Shell. The command targets a single server or can run across the full Exchange fleet at once.

There is one cosmetic issue to be aware of. Some servers will show the mitigation status as "Mitigation invalid for this exchange version" in the description field. Microsoft confirms the fix is applied correctly in these cases if the status column reads "Applied". The display text is a known cosmetic bug under investigation.

Side effects of the mitigation

Applying the fix has functional consequences. The OWA Print Calendar feature stops working after the mitigation applies. Inline images no longer display correctly in recipients' reading panes inside Outlook Web Access.

OWA Light, the legacy interface accessed via a URL ending in /?layout=light, also stops functioning after the mitigation applies. Microsoft deprecated the interface years ago and does not consider it production-ready, but organizations still using it will need to route users through the standard OWA URL instead.

No permanent patch yet

Microsoft is developing a permanent fix and has not confirmed a release timeline. When available, Exchange Server Subscription Edition will receive it through the standard update channel. Exchange Server 2016 and 2019 will only get the permanent patch through Microsoft's Period 2 Extended Security Update program.

Organizations running either older version without ESU enrollment will stay exposed until they apply the emergency mitigation manually. CISA added CVE-2026-42897 to the Known Exploited Vulnerabilities catalog on May 15 and requires Federal Civilian Executive Branch agencies to remediate by May 29. Microsoft has not identified the threat actors behind the active attacks or disclosed which organizations attackers targeted.

The timing of CVE-2026-42897 sits at the other end of the vulnerability lifecycle from proactive discovery. Microsoft's MDASH AI model recently identified 16 critical Windows flaws before attackers could reach them, a detection approach that CVE-2026-42897 bypassed entirely.