On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Ravie Lakshmanan May 15, 2026 Microsoft / Vulnerability Microsoft has disclosed a new security vulnerability impacting on-premise versions of Exchange Server that it said has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-42897 (CVSS score: 8.1), has been described as a spoofing bug stemming from a cross-site scripting flaw.
An anonymous researcher has been credited with discovering and reporting the issue. "Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network," the tech giant said in a Thursday advisory. Microsoft, which tagged the vulnerability with an "Exploitation Detected" assessment, said an attacker could weaponize it by sending a crafted email to a user, which, when opened in Outlook Web Access and subject to other "certain interaction conditions," can allow arbitrary JavaScript code to be executed in the context of the web browser.
Redmond also noted that it's providing a temporary mitigation through its Exchange Emergency Mitigation Service , while it's readying a permanent fix for the security defect. The Exchange Emergency Mitigation Service will provide the mitigation automatically via a URL rewrite configuration, and is enabled by default. If it's not on, users are advised to enable the Windows service. According to Microsoft, Exchange Online is not impacted by this vulnerability.
The following on-premises Exchange Server versions are affected - Exchange Server 2016 (any update level) Exchange Server 2019 (any update level) Exchange Server Subscription Edition (SE) (any update level) If using the Exchange Emergency Mitigation Service is not an option due to air-gap restrictions, the company has outlined the following series of actions - Download the latest version of the Exchange on-premises Mitigation Tool (EOMT) from aka[.]ms/UnifiedEOMT.
Apply the mitigation on a per-server basis or on all servers at once by running the script via an elevated Exchange Management Shell (EMS): Single server: .\EOMT.ps1 -CVE "CVE-2026-42897" All servers: Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897" Microsoft said it's also aware of a known issue where the mitigation shows the "Mitigation invalid for this exchange version." in the Description field. "This issue is cosmetic and the mitigation DOES apply successfully if the status is shown as 'Applied,'" the Exchange Team said . "We are investigating on how to address this." There are currently no details on how the vulnerability is being exploited, the identity of the threat actor behind the activity, or the scale of such efforts.
It's also unclear who the targets are and if any of those attacks were successful. In the interim, it's recommended to apply the mitigations recommended by Microsoft. Update The U.S.Cybersecurity and Infrastructure Security Agency (CISA), on May 15, 2026, added CVE-2026-42897 Mi to its Known Exploited Vulnerabilities ( KEV ) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the necessary mitigations by May 29, 2026.
Found this article interesting? Follow us on Google News , Twitter LinkedIn to read more exclusive content we post. Tweet Share Share Share Cross-site Scripting , cybersecurity , Exchange Server , Microsoft , Outlook , Vulnerability ⚡ Top Stories This Week 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign Trellix Confirms Source Code Breach With Unauthorized Repository Access ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE and More Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution The Hacker News Launches 'Cybersecurity Stars Awards 2026' — Submissions Now Open ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise 2026: The Year of AI-Assisted Attacks Day Zero Readiness: The Operational Gaps That Break Incident Response We Scanned 1 Million Exposed AI Services.
Here's How Bad the Security Actually Is ⭐ Featured Resources [Webinar] Learn How Autonomous Validation Keeps Pace With AI Attacks [Guide] Get Practical AI SOC Insights to Improve Threat Detection [Demo] Discover How to Control Autonomous Identity Risks Effectively [Demo] Stop Email Attacks and Protect Cloud Workspace Data Faster Cybersecurity Webinars Building Stronger Defenses Stop Patient Zero Attacks Before They Bypass Detection Learn how to stop patient zero attacks before they bypass detection and compromise your systems at entry points.
Register Reduce AppSec Risk Validate Real Attack Paths Before Attackers Exploit Them Learn how to validate real attack paths and reduce exploitable risk with continuous agentic security validation. ⚡ Latest News Cybersecurity Resources Build Security Strategy That Earns Executive Buy-In — SANS LDR514, NYC SANS LDR514 in NYC, Aug 10–15: policy, risk frameworks, board communication, and strategic leadership.
Your VPN is Helping Attackers Move as Fast as AI AI collapsed human response window and turned remote access into fastest path to breach. Earn a Master's in Cybersecurity Risk Management Lead the future of cybersecurity risk management with an online Master’s from Georgetown. Expert Insights Articles Videos From Phishing to Recovery: Breaking the Ransomware Attack Chain May 04, 2026 Read ➝ Mythos is Coming: What the Next Six Months Require Your Biggest Security Risk Isn’t Malware — It's What You Already Trust CTM360 Exposes Global GovTrap Campaign With 11,000+ Fake Government Portals Targeting Citizens Worldwide April 27, 2026 Get the Latest News in Your Inbox Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.