On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email
Microsoft Exchange Server CVE-2026-42897 is being exploited in the wild via crafted emails (CVSS 8.1). On-prem Exchange 2016 / 2019 / SE — enable EEMS or run EOMT now.
What’s new: Microsoft has disclosed CVE-2026-42897, a spoofing vulnerability affecting on-premise versions of Exchange Server, which is currently being exploited in the wild. The vulnerability, with a CVSS score of 8.1, allows unauthorized attackers to execute arbitrary JavaScript code via crafted emails in Outlook Web Access under certain conditions. Microsoft is providing temporary mitigation through its Exchange Emergency Mitigation Service while preparing a permanent fix.
Who’s affected
The following on-premises Exchange Server versions are impacted:
- Exchange Server 2016 (any update level)
- Exchange Server 2019 (any update level)
- Exchange Server Subscription Edition (SE) (any update level)
What to do
- Enable the Exchange Emergency Mitigation Service if not already active.
- If air-gap restrictions prevent using the service, download the latest version of the Exchange on-premises Mitigation Tool (EOMT) from aka.ms/UnifiedEOMT and apply the mitigation using the following commands:
- For a single server:
.\EOMT.ps1 -CVE "CVE-2026-42897" - For all servers:
Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"
- For a single server:
- Monitor for updates from Microsoft regarding a permanent fix.
