Microsoft confirms Exchange zero-day

Microsoft has confirmed that attackers are exploiting a zero-day flaw in on-premises Exchange Server, putting Outlook Web Access back at the center of enterprise incident response. The vulnerability, tracked as CVE-2026-42897, was disclosed by Microsoft on May 14 and affects Exchange Server 2016, Exchange Server 2019 and Exchange Server Subscription Edition. (techcommunity.microsoft.com) Microsoft said a specially crafted email can trigger the issue when a user opens it in Outlook Web Access, allowing arbitrary JavaScript execution in the browser context. Exchange Online is not affected. For administrators, the immediate issue is not patching but containment. Microsoft said customers should use the Exchange Emergency Mitigation Service if it is enabled, or apply the company’s scripted mitigation process if it is not. (cisa.gov) The company’s published guidance identifies the automatic mitigation as M2.1.x and says organizations can verify deployment through Exchange Health Checker. ### Which Microsoft systems are actually exposed? Microsoft said the flaw affects on-premises Exchange deployments only: Exchange Server 2016, Exchange Server 2019 and Exchange Server Subscription Edition. The company said “any update level” of those products is impacted. Microsoft also said Exchange Online is not impacted by this vulnerability. (techcommunity.microsoft.com) Tenable’s CVE entry describes the bug as an improper neutralization of input during web page generation, or cross-site scripting, that allows an unauthorized attacker to perform spoofing over a network. Microsoft’s advisory classifies the issue as a Microsoft Exchange Server spoofing vulnerability. (techcommunity.microsoft.com) ### How does the attack work in practice? Microsoft said an attacker can exploit the flaw by sending a specially crafted email to a user. If that user opens the message in Outlook Web Access and “certain interaction conditions are met,” arbitrary JavaScript can execute in the browser context, according to the company’s Exchange Team advisory. (techcommunity.microsoft.com) That matters because Outlook Web Access is often exposed to the internet for remote email access. Microsoft’s mitigation guidance focuses on OWA because that is where the vulnerable rendering path sits, according to the company’s description of the exploit chain. (tenable.com) ### What is Microsoft telling administrators to do right now? Microsoft said the recommended first step is to use the Exchange Emergency Mitigation Service, which it said is enabled by default and has already received an automatic mitigation for CVE-2026-42897. The company said customers with the service disabled should enable it immediately if possible. (techcommunity.microsoft.com) For disconnected or air-gapped environments, Microsoft said administrators can use the Exchange On-Premises Mitigation Tool to apply the mitigation manually, either server by server or across all Exchange servers. The company also said mitigations will not work if the client used to access OWA is Internet Explorer or Microsoft Edge in Internet Explorer Mode. (techcommunity.microsoft.com) ### Where does CISA come in? CISA maintains the Known Exploited Vulnerabilities Catalog as the U.S. government’s list of vulnerabilities known to have been exploited in the wild. CISA says organizations should use that catalog as an input to vulnerability management prioritization, and it says federal civilian agencies must remediate listed flaws by the assigned due dates under Binding Operational Directive 22-01. (techcommunity.microsoft.com) CISA’s alert framework says those notices are meant to provide rapid awareness of high-priority threats along with mitigations, workarounds and detections. That is the lane this Exchange issue has entered: active exploitation, mitigation guidance first, patch later. ### What should defenders watch next? (techcommunity.microsoft.com) Microsoft’s MSRC advisory says the vulnerability requires customer action to resolve, and the Exchange Team post says customers should verify whether mitigation M2.1.x has been applied. Microsoft has not yet published a security update for CVE-2026-42897 in the material reviewed here. The next concrete milestone is an official Microsoft patch or updated MSRC guidance. Until then, Exchange administrators are being directed to Microsoft’s Exchange Team advisory, the MSRC CVE page and CISA’s KEV catalog for updated remediation and exposure guidance. (cisa.gov) (techcommunity.microsoft.com) (msrc.microsoft.com) (cisa.gov)