Microsoft Exchange Server Vulnerability Under Active Exploitation; CISA Issues Emergency Mandate
Microsoft is urging administrators to secure on-premises Exchange Servers against a critical spoofing vulnerability that is currently being exploited in the wild.
Microsoft has confirmed that a critical security vulnerability in its on-premises Exchange Server software is currently being exploited in the wild. The flaw, tracked as CVE-2026-42897, carries a CVSS score of 8.1 and has been officially added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog.
Technically, the vulnerability is a spoofing bug rooted in a cross-site scripting (XSS) flaw. Microsoft explains that the issue arises from the "improper neutralization of input during web page generation." An attacker can weaponize this by sending a specially crafted email to a target. When that email is opened within Outlook Web Access (OWA) and meets specific "interaction conditions," the exploit allows for the execution of arbitrary JavaScript code directly within the victim's web browser context The Hacker News.
The impact of this vulnerability is limited to on-premises deployments, with Microsoft confirming that Exchange Online remains unaffected. The affected versions include all update levels of Exchange Server 2016, Exchange Server 2019, and the Exchange Server Subscription Edition (SE). While Microsoft has acknowledged the active exploitation of this bug, there are currently no public details regarding the specific threat actors involved, the scale of the campaign, or the identity of the targeted organizations The Hacker News.
In response, Microsoft is deploying a temporary mitigation via its Exchange Emergency Mitigation Service (EEMS). This service, which is enabled by default, applies a URL rewrite configuration to block the exploit. For environments where EEMS is not active or for air-gapped systems, administrators are instructed to use the Exchange on-premises Mitigation Tool (EOMT). The tool can be executed via the Exchange Management Shell to apply the fix either on a single server or across an entire environment The Hacker News.
Microsoft noted a known cosmetic issue where the mitigation might display "Mitigation invalid for this exchange version" in the description field, even when the fix has been successfully applied. The company is currently working on a permanent patch for the defect. Meanwhile, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies must implement the necessary mitigations by May 29, 2026, to address the risk posed by this active exploitation The Hacker News.
The emergence of CVE-2026-42897 highlights the persistent risk associated with on-premises email infrastructure, which remains a high-value target for attackers seeking initial access to corporate networks. As organizations continue to balance the maintenance of legacy on-premises systems with modern security requirements, the rapid weaponization of XSS-based spoofing flaws underscores the importance of automated mitigation services and timely patch management. Security teams should prioritize the application of the EOMT script while awaiting a permanent resolution from Microsoft.