On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email

Key Points:

• Microsoft has disclosed a critical security vulnerability (CVE-2026-42897) in on-premises Exchange Server versions 2016, 2019, and Subscription Edition, which is actively being exploited in the wild and involves a cross-site scripting (XSS) spoofing flaw.
• The vulnerability allows attackers to execute arbitrary JavaScript by sending a crafted email that, when opened in Outlook Web Access under certain conditions, can compromise the user's browser session.
• Microsoft has released a temporary mitigation via the Exchange Emergency Mitigation Service, enabled by default, and advises users to enable it if not already active; a permanent fix is in development.
• For environments where the mitigation service cannot be used, Microsoft provides a Mitigation Tool (EOMT) to be applied manually through Exchange Management Shell scripts.
• Details about the exploitation methods, threat actors, targets, or the impact scale remain unknown, and Microsoft recommends immediate application of the provided mitigations to reduce risk.