Microsoft warns Exchange Server flaw is being exploited before patch release

Microsoft has warned administrators that attackers are actively exploiting a newly disclosed Microsoft Exchange Server vulnerability before a permanent security update is available.

The flaw is tracked as CVE-2026-42897 and affects on-premises Exchange Server environments through Outlook Web Access. Microsoft classifies the issue as a high-severity spoofing vulnerability tied to cross-site scripting.

An attacker can exploit the vulnerability by sending a specially crafted email to a user. If the user opens the message in Outlook Web Access and certain conditions are met, malicious JavaScript can run in the browser session.

What CVE-2026-42897 means for Exchange admins

CVE-2026-42897 does not affect Exchange Online, based on the current public details. The risk centers on organizations that still run Exchange Server on-premises.

The affected products include Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition. Microsoft says the issue applies across update levels, which makes exposure broad for companies with local Exchange deployments.

The vulnerability matters because Exchange often handles sensitive business communications, credentials, attachments, and internal workflows. Even when the flaw requires user interaction, attackers can abuse email as the delivery path.

Item	Details
CVE	CVE-2026-42897
Severity	High, CVSS 3.1 score of 8.1 from Microsoft
Vulnerability type	Cross-site scripting leading to spoofing
Main target	Outlook Web Access on on-premises Exchange Server
Active exploitation	Confirmed by Microsoft and listed by CISA
Permanent patch	Not yet available at the time of writing

Microsoft is using emergency mitigations first

Microsoft has not released the final security update yet. Until that happens, the company recommends using the Exchange Emergency Mitigation Service to reduce exposure.

The Exchange Emergency Mitigation Service can automatically apply temporary protections to supported on-premises Exchange servers. For this issue, the mitigation uses an IIS URL Rewrite configuration identified under Microsoft’s mitigation list.

Administrators should check that the service is enabled and that servers can reach Microsoft’s Office Config Service. If a server cannot reach the service, it cannot download new mitigations automatically.

Air-gapped servers need manual action

Some Exchange environments cannot use automatic mitigation because they run in disconnected or restricted networks. Microsoft directs those admins to use the latest Exchange on-premises Mitigation Tool.

Admins must run the tool from an elevated Exchange Management Shell. They can apply the mitigation to one server or to all eligible Exchange servers in the organization.

• Confirm which Exchange servers are internet-facing.
• Check whether the Exchange Emergency Mitigation Service is enabled.
• Verify that mitigation M2 appears as applied.
• Use the Exchange on-premises Mitigation Tool for disconnected servers.
• Watch for failed or blocked mitigations in Exchange logs.

Mitigation may affect some Outlook Web Access features

The temporary mitigation can cause some side effects in Outlook Web Access. Microsoft has warned that OWA Print Calendar may not work properly after the mitigation applies.

Users may also see problems with inline images in the OWA reading pane. In those cases, Microsoft suggests using attachments or the Outlook desktop client as workarounds.

These issues create inconvenience, but they do not outweigh the security risk. Organizations with exposed Exchange servers should keep the mitigation active unless they have a tested alternative control.

Permanent updates will not be equal for all Exchange versions

Microsoft plans to release permanent security updates, but support status matters. Exchange Server Subscription Edition is expected to receive the public fix when it becomes available.

Exchange Server 2016 and Exchange Server 2019 are in a more restricted position. Updates for those older versions will be available only to customers enrolled in the Period 2 Exchange Server Extended Security Update program.

Organizations running older cumulative updates should also review upgrade requirements now. Waiting for the final patch may leave admins with compatibility work at the worst possible time.

CISA gives federal agencies a deadline

CISA added CVE-2026-42897 to its Known Exploited Vulnerabilities catalog on May 15, 2026. That means U.S. federal civilian agencies must follow the required action by May 29, 2026.

The required action gives agencies two options. They must apply vendor mitigations or stop using the affected product if no mitigation is available.

Private organizations do not have the same federal mandate, but the KEV listing remains a strong warning. CISA adds vulnerabilities to the catalog only when there is evidence of real-world exploitation.

What organizations should do now

1. Identify all on-premises Exchange Server 2016, 2019, and Subscription Edition systems.
2. Check whether Outlook Web Access is exposed to the internet.
3. Confirm that the Exchange Emergency Mitigation Service is running.
4. Verify that the CVE-2026-42897 mitigation has been applied successfully.
5. Use the manual mitigation tool for servers without Microsoft cloud connectivity.
6. Prepare to install the final security update as soon as Microsoft releases it.
7. Monitor OWA activity, authentication logs, and suspicious mailbox behavior.

Security teams should also avoid treating the mitigation as a permanent fix. Microsoft describes emergency mitigations as temporary protections until a security update resolves the underlying vulnerability.

The most practical response is to apply the mitigation now, review Exchange exposure, and prepare the environment for the final update. For many organizations, this also creates another reason to reduce reliance on internet-facing legacy Exchange infrastructure.

FAQ