Microsoft warns of Exchange zero-day flaw exploited in attacks Home News Microsoft Microsoft warns of Exchange zero-day flaw exploited in attacks Sergiu Gatlan May 15, 2026 05:40 AM On Thursday, Microsoft shared mitigations for a high-severity Exchange Server vulnerability exploited in attacks that allow threat actors to execute arbitrary code via cross-site scripting (XSS) while targeting Outlook on the web users.
Microsoft describes this security flaw (CVE-2026-42897) as a spoofing vulnerability affecting up-to-date Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) software. While patches aren't yet available to permanently fix the vulnerability, the company added that the Exchange Emergency Mitigation Service (EEMS) will provide automatic mitigation for Exchange Server 2016, 2019, and SE on-premises servers. "An attacker could exploit this issue by sending a specially crafted email to a user.
If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context," the Exchange Team said . "Using EM Service is the best way for your organization to mitigate this vulnerability right away. If you have EM Service currently disabled, we recommend you enable it right away. Please note that EM Service will not be able to check for new mitigations if your server is running Exchange Server version older than March 2023." EEMS was introduced in September 2021 to provide automated protection for on-premises Exchange servers, securing them against ongoing attacks by applying interim mitigations for high-risk (and likely actively exploited) vulnerabilities.
EEMS runs as a Windows service on Exchange Mailbox servers and is automatically enabled on servers with the Mailbox role. The security feature was added after many hacking groups exploited ProxyLogon ProxyShell zero-days (which lacked patches or mitigation information) to breach Internet-exposed Exchange servers. Admins with servers in air-gapped environments can also mitigate the flaw by downloading the latest Exchange on-premises Mitigation Tool (EOMT) version and applying the mitigation by running the script via an elevated Exchange Management Shell (EMS) with one of the following commands: Single server:
.\EOMT.ps1 -CVE "CVE-2026-42897" All servers:
Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897" However, it’s important to note that applying the mitigation measures on vulnerable servers will cause issues, including: OWA Print Calendar functionality might not work. As a workaround, Microsoft suggested copying the data, taking a screenshot of the calendar you want to print, or using the Outlook Desktop client.
Inline images might not display correctly in the recipients' OWA reading pane. As a workaround, users are advised to send images as email attachments or use the Outlook Desktop client. OWA light (OWA URL ending in /?layout=light ) does not work properly (this feature was deprecated several years ago and is not intended for regular production use). Microsoft plans to release patches for Exchange SE RTM, Exchange 2016 CU23, and Exchange Server 2019 CU14 and CU15, but says that updates for Exchange 2016 and 2019 will only be available to customers enrolled in the Period 2 Exchange Server ESU program.
BleepingComputer also reached out to Microsoft with questions about the attacks, but a response was not immediately available. In October, weeks after Exchange 2016 and 2019 reached the end of support , the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) released guidance to help IT admins harden Microsoft Exchange servers against attacks. Over the last 5 years, CISA has added 19 Microsoft Exchange Server vulnerabilities to its list of actively exploited security flaws, 14 of which were also abused in ransomware attacks.
The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. Download Now CISA orders feds to patch Windows flaw exploited as zero-day Recently leaked Windows zero-days now exploited in attacks Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days Microsoft March 2026 Patch Tuesday fixes 2 zero-days, 79 flaws Windows 11 and Microsoft Edge hacked at Pwn2Own Berlin 2026 Code Execution JavaScript Microsoft Microsoft Exchange Mitigation Zero-Day Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade.
Email or Twitter DMs for tips. Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Upcoming Webinar Popular Stories Windows BitLocker zero-day gives access to protected drives, PoC released Dell confirms its SupportAssist software causes Windows BSOD crashes OpenAI confirms security breach in TanStack supply chain attack Sponsor Posts Overdue a password health-check?
Audit your Active Directory for free Are stolen sessions bypassing your security? Find out for free. 12 steps to defend against AI-powered exploits before the Glasswing report drops https://www.nmftacyber.com/ Login Username Password Remember Me Sign in anonymously Sign in with Twitter Reporter Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT