On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email

The latest Microsoft Exchange advisory underscores a troubling trend: on‑premises email infrastructure remains a prime target for sophisticated attackers. CVE‑2026‑42897, a cross‑site scripting issue with an 8.1 CVSS rating, exploits the way Outlook Web Access renders HTML content. By embedding malicious JavaScript in a seemingly benign email, threat actors can hijack a user’s browser session, potentially harvesting credentials or deploying ransomware. While Microsoft’s cloud‑based Exchange Online is insulated from this flaw, the on‑premise versions—2016, 2019, and the Subscription Edition—are fully exposed, highlighting the lingering security gap between cloud and legacy deployments.

To mitigate the immediate threat, Microsoft rolled out the Exchange Emergency Mitigation Service (EEMS), which automatically rewrites URLs to neutralize the exploit. For air‑gapped or highly regulated environments where EEMS cannot be enabled, the company offers the Exchange on‑premises Mitigation Tool (EOMT), a PowerShell script that applies the same protective rules across individual or all servers. Although the mitigation may display a cosmetic error message, it remains effective as long as the status reads “Applied.” Administrators should verify the service’s activation and test the script in a staging environment before broad deployment, ensuring that legitimate mail flow is not disrupted.

From a business perspective, the rapid emergence of an active exploit forces IT leaders to reassess their vulnerability management cadence. Organizations running on‑prem Exchange must prioritize the temporary mitigations while expediting the procurement of the forthcoming permanent patch. The incident also serves as a reminder that legacy systems demand continuous monitoring and rapid response capabilities. Investing in robust email security gateways, user training on suspicious links, and a clear incident‑response playbook can reduce the attack surface and limit potential fallout from similar zero‑day threats in the future.