Exchange Server Zero-Day Vulnerability Can Be Triggered by Opening a Malicious Email

The newly uncovered CVE‑2026‑42897 is a cross‑site scripting (XSS) bug in the Outlook Web Access (OWA) component of Microsoft Exchange Server. By embedding malicious JavaScript in a specially crafted email, an attacker can execute code in the victim’s browser when the message is opened, potentially reading or sending emails without user interaction. The vulnerability affects Exchange Server 2016, 2019 and the Subscription Edition regardless of cumulative update level, and is already being leveraged in the wild, making it one of the most urgent threats to on‑prem email infrastructures this year.

Microsoft’s immediate response is an emergency mitigation delivered through the Exchange EM Service, which is enabled by default on versions released after September 2021. Organizations that have disabled the service or operate air‑gapped systems must deploy the Exchange On‑Premises Mitigation Tool (EOMT) manually. While the fix blocks the exploit, it introduces side effects such as broken OWA calendar printing, missing inline images, and limited functionality for the deprecated light layout. Administrators should verify that ‘Mitigation M2’ is active across all servers and test critical OWA features after deployment.

The incident serves as a catalyst for enterprises to reassess their email strategy. With Exchange Online untouched by the flaw, cloud‑based mail offers a faster path to security updates and reduced attack surface. Security officers are also being urged to embed automated validation of mitigation status into their broader security orchestration workflows. As zero‑day exploits become more frequent, the cost of maintaining legacy on‑prem Exchange grows, making migration to Azure‑hosted services not just a convenience but a risk‑management necessity.