On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email
On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email — Ravie LakshmananMay 15, 2026Microsoft / Vulnerability [https://blogger.google
What’s new: Microsoft has disclosed a new vulnerability, CVE-2026-42897, affecting on-premise versions of Exchange Server, which is currently being exploited in the wild. This spoofing vulnerability, with a CVSS score of 8.1, is due to a cross-site scripting flaw that allows unauthorized attackers to execute arbitrary JavaScript code via crafted emails in Outlook Web Access.
Who’s affected
The following on-premises Exchange Server versions are affected:
- Exchange Server 2016 (any update level)
- Exchange Server 2019 (any update level)
- Exchange Server Subscription Edition (SE) (any update level)
What to do
- Enable the Exchange Emergency Mitigation Service for automatic mitigation via URL rewrite configuration.
- If the Emergency Mitigation Service cannot be used, download the Exchange on-premises Mitigation Tool (EOMT) and apply the mitigation using the following commands:
- For a single server: .\EOMT.ps1 -CVE “CVE-2026-42897”
- For all servers: Get-ExchangeServer | Where-Object { $_.ServerRole -ne “Edge” } | .\EOMT.ps1 -CVE “CVE-2026-42897”
