Microsoft Warns of High-Severity Zero-Day in On-Premises Exchange Servers
Microsoft has issued a warning regarding a high-severity zero-day vulnerability in on-premises Exchange Servers that allows for remote spoofing and potential arbitrary code execution.
Microsoft has disclosed a high-severity zero-day vulnerability in its on-premises Exchange Server products, warning that the flaw could allow unauthorized attackers to execute arbitrary code via specially crafted emails. The vulnerability, tracked as CVE-2026-42897, carries a CVSS score of 8.1 and stems from improper input neutralization during web page generation, specifically a cross-site scripting (XSS) issue that enables network-based spoofing Infosecurity Magazine.
The flaw impacts a wide range of on-premises deployments, including all existing versions of Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE). Microsoft has confirmed that Exchange Online is not affected by this vulnerability. While the company is currently developing security patches, no permanent fix is yet available for the affected software versions Infosecurity Magazine.
To protect environments in the interim, Microsoft recommends that administrators utilize the Exchange Emergency Mitigation (EM) Service. For most users, this service is enabled by default, meaning the necessary mitigation (M2.1.x) may have already been applied automatically. Administrators are encouraged to verify their status by running the Exchange Health Checker script or by manually checking for the specific mitigation identifier. Microsoft notes that servers running versions older than March 2023 are ineligible for these automated updates Infosecurity Magazine.
For organizations operating in air-gapped or disconnected environments where the EM Service is unavailable, Microsoft has provided an alternative manual mitigation path. Administrators can download and execute the Exchange On-premises Mitigation Tool (EOMT) via an elevated Exchange Management Shell. The company cautions that both the automated and manual mitigation measures may cause service disruptions, such as the loss of OWA Print Calendar functionality or issues with displaying inline images Infosecurity Magazine.
Regarding the eventual permanent fix, Microsoft has outlined a tiered release strategy. Security updates for Exchange SE will be made publicly available to all users. However, patches for Exchange 2016 and 2019 will be restricted exclusively to customers enrolled in the Period 2 Exchange Server Extended Security Update (ESU) program Infosecurity Magazine.
This incident highlights the persistent security challenges associated with maintaining on-premises mail infrastructure. As threat actors continue to target legacy and enterprise email servers, the reliance on emergency mitigation tools and tiered patch availability underscores the importance of keeping Exchange environments updated to the latest supported versions to ensure eligibility for critical security fixes Infosecurity Magazine.