Microsoft has revealed a newly identified security issue affecting on-premises deployments of Exchange Server, warning that the flaw is already being actively exploited.
The vulnerability, designated CVE-2026-42897 and assigned a CVSS score of 8.1, is categorized as a spoofing issue tied to a cross-site scripting (XSS) weakness. The flaw was discovered and reported by an anonymous security researcher.
According to Microsoft, the root cause lies in insufficient input sanitization during webpage generation within Exchange Server. This weakness enables an attacker to inject malicious scripts, which can then be used to impersonate legitimate users in certain scenarios.
The company confirmed that exploitation is possible through a carefully crafted email. When a target opens the email using Outlook Web Access (OWA), and specific interaction conditions are met, the malicious content can trigger the execution of arbitrary JavaScript within the user’s browser session.
Microsoft has formally acknowledged that exploitation attempts have already been observed in active attacks. However, it has not disclosed technical details about how the vulnerability is being leveraged in the wild, nor has it identified the threat actors or the scale of the activity.
As a temporary defensive measure, Microsoft is rolling out mitigations through the Exchange Emergency Mitigation Service (EEMS) while it works on a permanent fix. This service, which is enabled by default, automatically applies protections using a URL rewrite configuration. Organizations that have disabled the service are advised to enable it immediately to reduce exposure.
Microsoft clarified that this issue does not impact Exchange Online, but it does affect the following on-premises versions:
- Exchange Server 2016 (all supported builds)
- Exchange Server 2019 (all supported builds)
- Exchange Server Subscription Edition (SE)
For organizations operating in restricted environments where automatic mitigation is not feasible such as air-gapped networks Microsoft recommends using the Exchange On-Premises Mitigation Tool (EOMT). Administrators can deploy the mitigation manually either on individual servers or across all servers using Exchange Management Shell commands.
Microsoft also noted a minor display issue that may appear when applying the mitigation. In some cases, the tool may incorrectly report that the mitigation is invalid for the Exchange version. The company emphasized that this is a cosmetic issue only, and the mitigation is still successfully applied if the status shows as “Applied.”
At this stage, limited information is available regarding attack targets or the effectiveness of ongoing exploitation campaigns. Until more details are released, organizations are strongly encouraged to implement Microsoft’s recommended mitigations as soon as possible to minimize risk.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
