Microsoft has disclosed vulnerability CVE-2026-42897 (CVSS 8.1) in on-premises versions of Exchange Server, which is already being actively exploited by attackers. This cross-site scripting vulnerability allows arbitrary JavaScript code to be executed in the victim’s browser via a specially crafted email opened in Outlook Web Access. Affected are Exchange Server 2016, 2019, and Subscription Edition at any update level; cloud-based Exchange Online is not affected. A permanent patch has not yet been released — Microsoft is offering temporary mitigations via Exchange Emergency Mitigation Service and the EOMT script, which must be applied immediately.

Technical details of the vulnerability

According to the Microsoft Security Response Center bulletin, CVE-2026-42897 is classified as “Improper Neutralization of Input During Web Page Generation” (CWE-79 — cross-site scripting). Microsoft has assigned the vulnerability the status “Exploitation Detected”, confirming that it is being actively used in real-world attacks.

The attack vector looks as follows: an attacker sends a specially crafted email to the victim. When the user opens this email through the Outlook Web Access interface and performs certain actions (Microsoft describes this as “certain interaction conditions”), arbitrary JavaScript code is executed in the browser context. This enables the attacker to perform spoofing over the network without prior authentication.

The CVSS score of 8.1 places the vulnerability in the high severity category. Although XSS vulnerabilities are often perceived as less dangerous compared to remote code execution, in the context of Exchange Server the situation is fundamentally different: executing JavaScript within an OWA session can potentially grant access to mailbox contents, session tokens, and the ability to act on behalf of the compromised user.

Affected products

The vulnerability applies to all on-premises versions of Exchange Server regardless of installed updates:

• Exchange Server 2016 — any update level
• Exchange Server 2019 — any update level
• Exchange Server Subscription Edition (SE) — any update level

According to Microsoft, Exchange Online is not affected by this vulnerability. This means organizations that have fully migrated to the Microsoft 365 cloud infrastructure are out of the risk zone.

What is known about exploitation

At the time of publication, Microsoft has not disclosed details on which specific threat actors are exploiting the vulnerability, the scale of the attacks, or whether they have been successful. There is no information about targeted industries or regions. The anonymous researcher who discovered and reported the issue has also not been publicly identified.

Nevertheless, the very fact that Microsoft has assigned the status “Exploitation Detected” is a signal that cannot be ignored. Historically, Exchange Server remains one of the top-priority targets for attackers: it is enough to recall the ProxyLogon and ProxyShell campaigns, which led to the mass compromise of thousands of organizations worldwide.

Impact assessment

The highest risk is borne by organizations that continue to use on-premises Exchange Server installations with OWA exposed to the internet. This is a typical configuration for government agencies, financial institutions, and enterprises that, for regulatory or infrastructure reasons, have not moved to cloud solutions.

Successful exploitation of XSS in the context of a mail server can lead to:

• Interception of session tokens and unauthorized access to mailboxes
• Phishing attacks conducted on behalf of compromised users within the organization
• Theft of confidential data from email correspondence
• Use of the compromised access as a foothold for further lateral movement in the network

Practical security recommendations

Option 1: Exchange Emergency Mitigation Service (recommended)

According to Microsoft’s documentation, the Exchange Emergency Mitigation Service automatically applies a temporary fix through URL rewrite configuration. This service is enabled by default in supported versions of Exchange Server. If the service has been disabled, it must be activated immediately.

Option 2: Manual application via EOMT (for isolated environments)

For servers without internet access, the Exchange team recommends using the Exchange On-Premises Mitigation Tool (EOMT):

1. Download the latest version of EOMT from aka.ms/UnifiedEOMT
2. To apply on a single server, run the following in an elevated Exchange Management Shell:
   .\EOMT.ps1 -CVE "CVE-2026-42897"
3. To apply on all servers (except Edge):
   Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"

Known cosmetic issue

Microsoft has confirmed that after applying the mitigation, the Description field may display the message “Mitigation invalid for this exchange version.” This is a cosmetic defect — if the status shows “Applied,” protection is functioning correctly. Microsoft is working to fix this display issue.

Organizations running on-premises versions of Exchange Server should apply the temporary protections against CVE-2026-42897 within the next few hours, without waiting for a permanent patch. Priority should be given to servers with OWA exposed to the internet. After applying the mitigation, make sure the status is shown as “Applied,” and monitor the MSRC advisory for information on the release of a full security update.