Microsoft says attackers are actively exploiting a high-severity Exchange Server vulnerability tracked as CVE-2026-42897, with the flaw affecting on-premises Exchange 2016, Exchange 2019, and Exchange Server Subscription Edition. BleepingComputer reported that the bug can let threat actors reach arbitrary code execution through cross-site scripting while targeting Outlook on the web users, and Cybersecurity News described the issue as a spoofing flaw with a CVSS score of 8.1.
The vulnerability can be triggered with a specially crafted email sent to a target, Microsoft said. If the message is opened in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript may run in the browser context. Cybersecurity News said the problem centers on improper input neutralization during web page generation, while BleepingComputer noted that Microsoft has not yet released permanent patches.
Instead, Microsoft is pushing temporary mitigations through the Exchange Emergency Mitigation Service, or EEMS, which it says will automatically apply protections to on-premises servers running supported versions. BleepingComputer said EEMS is enabled by default on servers with the Mailbox role and was introduced in 2021 to help defend Exchange against actively exploited flaws. For disconnected environments, Microsoft is also offering the Exchange on-premises Mitigation Tool, which admins can run manually from an elevated Exchange Management Shell.
There is one important caveat: Microsoft warned that the emergency mitigation can cause some functionality issues. BleepingComputer reported that OWA calendar printing may stop working, inline images may not display properly in the reading pane, and the legacy OWA light interface does not work as expected. Those tradeoffs appear to be the temporary cost of blocking the attack path while Microsoft finishes a permanent fix.
Microsoft plans to release patches for Exchange Server Subscription Edition RTM, Exchange 2016 CU23, and Exchange 2019 CU14 and CU15, according to BleepingComputer. For Exchange 2016 and 2019, however, those updates will be limited to customers enrolled in the Period 2 Exchange Server ESU program. Cybersecurity News said Microsoft is still finalizing the official update, underscoring that the emergency mitigation is the main defense available right now.