Microsoft disclosed a critical vulnerability in Exchange Server on May 14, 2026, and it’s already being exploited in the wild. Here’s a quick breakdown of what it is, who’s affected, and what’s being done about it.

🚨 The official announcement is subject to ongoing updates β€” visit the link below to access the latest information: https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498

CVE-2026-42897

CVE-2026-42897 is aΒ Cross-Site Scripting (XSS) Spoofing vulnerabilityΒ (CWE-79) in Microsoft Exchange Server. It carries aΒ CVSS v3.1 score of 8.1 (High), meaning it poses a significant risk to organizations running on-premises Exchange environments.

Reading our article? Try our product:

360 Protection for Windows Servers - Zero-Risk Trial

How Does It Work?

An attacker sends a specially crafted email to a target. If the recipient opens it in Outlook Web Access (OWA), malicious JavaScript executes in the user’s browser β€” no special permissions required. This can allow an attacker to spoof users, steal credentials, or perform actions on the victim’s behalf.

The attack vector is network-based and requires user interaction (opening the email in OWA), but no authentication from the attacker’s side.

Who Is Affected?

ProductAffected?
Exchange Server 2016βœ… Yes β€” all update levels​
Exchange Server 2019βœ… Yes β€” all update levels​
Exchange Server SEβœ… Yes β€” all update levels​
Exchange Online (Microsoft 365)❌ Not affected​

Is There a Patch?

Not yet. As of the disclosure date, no permanent fix has been released. Patches are in development for Exchange SE RTM, Exchange 2016 CU23, and Exchange 2019 CU14/CU15 β€” though patches for Exchange 2016 and 2019 will only be available to customers enrolled in the Period 2 Exchange Server ESU program.

What’s the Mitigation?

Microsoft has issued mitigation M2.1.0 β€” an IIS URL Rewrite rule β€” delivered through two methods:​

  • EEMS (Exchange Emergency Mitigation Service): Automatically applied on internet-connected servers; if enabled by default and up to date, servers likely already have protection
  • EOMT (Exchange On-Premises Mitigation Tool): A manual script for offline or air-gapped environments that cannot leverage EEMS

Note: Some servers may display a “Mitigation invalid for this Exchange version” message β€” Microsoft has confirmed this is a display bug only. If the mitigation status shows “Applied,” it is working correctly.

Fortify Your Server with Messageware Security

Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.

Server Threat Guard (STG) for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. No need to research complicated deployments and no learning curve to install and manage.

EPG Guard for Exchange Servers: Real-time security. Stop AD account lockouts, eliminate password attacks, intelligent GEO blocking, and prevent Exchange Server vulnerability probing.

Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.