Microsoft Exchange Zero-Day Exploited: No Patch, Only Mitigations

Key Takeaways

• CVE-2026-42897 affects Exchange Server 2016, 2019, and Subscription Edition with no patch available
• Attackers can execute arbitrary JavaScript when victims open malicious emails in Outlook Web Access
• Exchange Emergency Mitigation Service provides automatic protection for servers running March 2023 or newer builds

What the Vulnerability Does

Microsoft disclosed on Thursday that threat actors are actively exploiting a high-severity vulnerability in Exchange Server. The flaw, tracked as CVE-2026-42897, is a spoofing vulnerability that enables cross-site scripting attacks against Outlook Web Access users.

The attack works like this: an attacker sends a specially crafted email to a target. If the recipient opens that email in Outlook Web Access and meets certain interaction conditions, malicious JavaScript executes in their browser. This gives the attacker code execution within the victim's browser session.

The vulnerability affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition. All three remain vulnerable even when fully patched with the latest available updates.

No Patch Yet, Only Mitigations

Microsoft has not released a patch. Instead, the company is pushing mitigations through its Exchange Emergency Mitigation Service. EEMS will automatically apply protections to Exchange Server 2016, 2019, and SE installations running on-premises.

“Using EM Service is the best way for your organization to mitigate this vulnerability right away. If you have EM Service currently disabled, we recommend you enable it right away.”

— Microsoft Exchange Team

There's a catch. EEMS cannot check for new mitigations if your server runs an Exchange Server version older than March 2023. Organizations still on older builds need to update first or apply mitigations manually.

Manual Mitigation for Air-Gapped Servers

Administrators running Exchange in air-gapped environments cannot rely on EEMS. Microsoft advises downloading the latest Exchange on-premises Mitigation Tool and running it through an elevated Exchange Management Shell.

For a single server, run:

.\EOMT.ps1 -CVE "CVE-2026-42897"

For all servers in the organization:

Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"

When Patches Will Arrive

Microsoft plans to release patches for Exchange SE RTM, Exchange 2016 CU23, and Exchange Server 2019 CU14 and CU15. The company did not provide a timeline.

Here's the bad news for organizations on older Exchange versions. Updates for Exchange 2016 and 2019 will only be available to customers enrolled in the Period 2 Exchange Server Extended Security Updates program. If you haven't paid for ESU coverage, you won't get the patch.

Why EEMS Exists

Microsoft introduced the Exchange Emergency Mitigation Service in September 2021. The feature was a direct response to the ProxyLogon and ProxyShell vulnerabilities that hackers exploited en masse before patches or mitigation guidance existed.

EEMS runs as a Windows service on Exchange Mailbox servers. It's enabled by default on servers with the Mailbox role. When Microsoft identifies a high-risk vulnerability being actively exploited, EEMS can push interim mitigations automatically, buying time until a full patch arrives.

Exchange Security Remains a Persistent Problem

Exchange Server has become a favorite target for threat actors. The product's complexity, its privileged position in enterprise networks, and the large number of internet-exposed instances make it attractive. Many organizations still run on-premises Exchange despite Microsoft's push toward Exchange Online.

In October, weeks after Exchange 2016 and 2019 reached end of support, CISA and the NSA released joint guidance to help IT administrators harden Exchange servers against attacks. That guidance remains relevant for organizations still running these versions.

What You Should Do Now

1. Verify EEMS is enabled on all Exchange servers. If disabled, enable it immediately.
2. Check that your Exchange installation is at least March 2023 version or newer so EEMS can receive mitigation updates.
3. For air-gapped servers, download EOMT and run the mitigation script manually.
4. If you're running Exchange 2016 or 2019 without ESU enrollment, consider enrolling before the patch drops.
5. Monitor Microsoft's security advisories for patch release announcements.

Frequently Asked Questions

Is there a patch available for CVE-2026-42897?

No. Microsoft has only released mitigations through EEMS and EOMT. Patches are planned for Exchange SE RTM, 2016 CU23, and 2019 CU14/CU15, but no release date has been announced.

Which Exchange Server versions are affected?

Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition are all affected, even when running the latest available updates.

How do attackers exploit this vulnerability?

An attacker sends a specially crafted email. When the recipient opens it in Outlook Web Access and certain interaction conditions are met, malicious JavaScript executes in the victim's browser.

Will I get the patch if I'm not enrolled in ESU?

For Exchange 2016 and 2019, patches will only be available to customers enrolled in the Period 2 Exchange Server Extended Security Updates program. Exchange SE customers will receive patches without ESU enrollment.

Does Exchange Emergency Mitigation Service work on all Exchange servers?

EEMS requires Exchange Server versions from March 2023 or newer. Older versions cannot receive new mitigation updates through EEMS.

Source: BleepingComputer