Microsoft Issues Warning on Critical Zero-Day Vulnerability Affecting Exchange Server
In the realm of cybersecurity, Microsoft has recently issued an urgent alert concerning a significant zero-day vulnerability that poses a risk of exploitation through email. This vulnerability allows potential attackers to send arbitrary code to an unsuspecting victim via specially crafted emails targeting Outlook users. The vulnerability has been identified as CVE-2026-42897 and is characterized by improper input neutralization during web page generation, a flaw commonly associated with cross-site scripting (XSS) vulnerabilities.
This security concern was disclosed on May 14 and has been assigned a high-severity rating with a CVSS score of 8.1, indicating a serious risk that could potentially have widespread implications. The flaw specifically affects several versions of on-premises Exchange Server software:
- All current versions of Exchange Server 2016
- All current versions of Exchange Server 2019
- All versions of the Exchange Server Subscription Edition (SE)
One crucial point to note is that Exchange Online is not impacted by this vulnerability, providing some relief to users of the cloud-based email service.
Immediate Actions and Mitigation Strategies
While Microsoft has yet to release a definitive patch to resolve this vulnerability, the company has issued a security advisory providing interim solutions that organizations can implement to mitigate potential security threats. The advisory offers two primary strategies aimed at protecting systems until a patch can be developed and deployed.
The first and preferred method involves utilizing the Exchange Emergency Mitigation (EM) Service. Microsoft recommends enabling this service, as it is activated by default for most installations. Organizations that have this service enabled will find that mitigations against the vulnerability have already been automatically applied. Administrators can verify the status of these mitigations through the following steps:
- Review the documentation to check applied mitigations specifically related to CVE-2026-42897 (M2.1.x).
- Utilize the Exchange Health Checker script to assess the status of the EM Service and confirm that mitigations are effectively in place.
- If the EM Service is currently disabled, Microsoft strongly urges administrators to activate it.
However, it is important to note that servers running versions older than March 2023 will not receive new mitigation measures via this service.
For those environments that are unable to use the EM Service—such as systems that are disconnected from the internet or operate in air-gapped settings—there is an alternative manual mitigation approach. Administrators can take the following steps:
- Download the latest version of the Exchange On-premises Mitigation Tool (EOMT).
- Execute the provided PowerShell script from an elevated Exchange Management Shell, which allows for targeted mitigation either on a single server or across multiple servers simultaneously using the CVE-2026-42897 identifier.
Microsoft does caution that implementing either of these mitigation measures may result in some operational challenges. For instance, users could experience the disabling or disruption of specific features, such as capabilities tied to Outlook Web App (OWA) Print Calendar and inline images.
Future Developments and Updates
The tech giant is diligently working on developing security patches for the affected Exchange Server versions. It has been indicated that updates for the Exchange Server Subscription Edition (SE) will be made available as a publicly released security update. On the other hand, for updates concerning Exchange 2016 and 2019, these will only be accessible to customers who are enrolled in the Period 2 Exchange Server Extended Security Update (ESU) program.
In light of this situation, organizations employing the affected Exchange Server versions are advised to take immediate action to assess their configurations and apply the suggested mitigation measures. The threat posed by CVE-2026-42897 underscores the ongoing need for vigilance in cybersecurity practices and highlights the importance of promptly addressing vulnerabilities as they arise.
As Microsoft continues to monitor the situation and develop a comprehensive fix, the tech community stands on alert, understanding that the repercussions of this vulnerability could reverberate significantly across various sectors reliant on Exchange Server for their communication infrastructures.