Microsoft confirms Exchange zero-day

Microsoft has confirmed that attackers are exploiting a zero-day flaw in on-premises Exchange Server, and the company is telling customers to turn on its Emergency Mitigation service while a patch is still unavailable. The vulnerability, tracked as CVE-2026-42897, was disclosed by Microsoft on May 14 and affects Outlook Web Access on Exchange Server 2016, Exchange Server 2019 and Exchange Server Subscription Edition. Microsoft said Exchange Online is not impacted. CISA’s Known Exploited Vulnerabilities catalog also lists the flaw, putting it in the federal government’s priority set for urgent remediation. ### How does the Exchange bug work? Microsoft said CVE-2026-42897 can be triggered when an attacker sends a specially crafted email to a user and that user opens the message in Outlook Web Access under certain interaction conditions. In that scenario, arbitrary JavaScript can run in the browser context, according to Microsoft’s Exchange Team blog. (techcommunity.microsoft.com) BleepingComputer reported that Microsoft described the issue as a high-severity flaw under active exploitation, while The Hacker News said Microsoft assigned it a CVSS score of 8.1 and characterized it as stemming from cross-site scripting that enables spoofing over a network. ### Which Exchange deployments are affected, and which are not? (techcommunity.microsoft.com) Microsoft said the affected products are on-premises Exchange Server 2016, 2019 and Subscription Edition, at any update level. The company said Exchange Online is not affected. That distinction matters because the current mitigation guidance is aimed at organizations still running self-managed Exchange infrastructure rather than Microsoft-hosted mailboxes. (bleepingcomputer.com) Dark Reading reported that the attacks were already underway days after disclosure and that customers were still waiting for a patch. ### What is Microsoft telling customers to do right now? (techcommunity.microsoft.com) Microsoft said its recommended option is the Exchange Emergency Mitigation service, known as EM Service. The company said the mitigation for CVE-2026-42897 has already been published and is enabled automatically for customers who already have the service turned on. The Exchange Team said customers can verify that the mitigation was applied by checking for mitigation ID “M2.1.x” and can use the Exchange Health Checker script to confirm status across their organizations. (darkreading.com) For customers that cannot use the EM Service, including disconnected or air-gapped environments, Microsoft said they can apply the mitigation through the Exchange On-premises Mitigation Tool. (techcommunity.microsoft.com) Microsoft also said the EM Service cannot check for new mitigations if a server is running an Exchange version older than March 2023. The company told customers with the service disabled to enable it immediately. ### Why did CISA add it to the KEV catalog? CISA says the Known Exploited Vulnerabilities catalog is the government’s authoritative list of vulnerabilities exploited in the wild and that organizations should use it as an input to vulnerability management prioritization. (techcommunity.microsoft.com) CVE-2026-42897 now appears in that catalog, which is used by federal civilian agencies to drive remediation deadlines under Binding Operational Directive 22-01. For private-sector defenders, KEV inclusion is a signal that the flaw has moved beyond a theoretical advisory and into active operations. That point is reflected in CISA’s own description of the catalog and in Microsoft’s statement that exploitation is already occurring. ### Why are defenders treating Exchange as more than “just email”? Exchange Server sits on executive communications, internal workflows and authentication-adjacent traffic, which is why security teams often treat it as a high-priority system during active exploitation events. (cisa.gov) Microsoft’s guidance in this case is focused on immediate containment rather than patch deployment because no security update is yet available. The next concrete milestone is a vendor fix. Microsoft’s Security Update Guide has an entry for CVE-2026-42897, and customers are being directed for now to mitigation steps published by the Exchange Team and to CISA’s KEV catalog for ongoing tracking. (msrc.microsoft.com) (techcommunity.microsoft.com)