Microsoft has warned of a high-severity zero-day vulnerability that could lead to an attacker sending arbitrary code to a victim by sending a specially crafted email to an Outlook user.
The flaw, tracked as CVE-2026-42897, is due to an improper neutralization of input during web page generation – also called cross-site scripting (XSS) – in Microsoft Exchange Server that allows an unauthorized attacker to perform spoofing over a network.
This high-severity vulnerability (CVSS rating of 8.1), disclosed by the tech giant on May 14, is affecting some on-premises Exchange Server versions:
- All existing Exchange Server 2016 versions
- All existing Exchange Server 2019 versions
- All existing Exchange Server Subscription Edition (SE) versions
It does not impact Exchange Online.
Temporary Fixes Available While Patch Is in Development
Microsoft has not yet released a patch for this vulnerability.
However, in a security advisory published on May 14, the Exchange Team shared two approaches security teams can take to mitigate the impact of potential exploits of this vulnerability before patches are available.
The first option, which Microsoft recommends, uses the Exchange Emergency Mitigation (EM) Service.
If the EM Service is enabled, which it is by default, the mitigation has already been automatically applied.
Administrators can verify this by:
- Checking the applied mitigations for CVE-2026-42897 (M2.1.x) through the documentation
- Running the Exchange Health Checker script to quickly check the status of EM Service and applied mitigations
- Enabling the EM Service if it is currently disabled, as Microsoft strongly recommends doing so
Note that servers running versions older than March 2023 cannot receive new mitigations through this service.
The second mitigation option is intended for environments unable to use the EM Service, such as disconnected or air-gapped environments.
Administrators can manually apply the mitigation by:
- Downloading the latest version of the Exchange On-premises Mitigation Tool (EOMT)
- Running the provided PowerShell script from an elevated Exchange Management Shell, targeting either a single server or all servers at once using the CVE-2026-42897 identifier
Microsoft acknowledged that both mitigation measures can cause issues, such as disabling or disrupting features (e.g. OWA Print Calendar, Inline images).
The company is working on security patches for impacted Exchange servers.
The Exchange SE update will be released as a publicly available security update, while updates for Exchange 2016 and 2019 will be released only to customers who are enrolled in the Period 2 Exchange Server ESU program.
