– CVE-2026-42897 is a zero-day cross-site scripting flaw in on-premises Exchange Server (not in Exchange Online) that allows arbitrary JavaScript execution via a crafted email and certain user interactions, with no authentication required.
– Microsoft issued an emergency mitigation (EEMS) and CISA added the flaw to its Known Exploited Vulnerabilities catalog; remediation was mandated for federal agencies by May 29.
– Mitigation has functional side effects: OWA Print Calendar and inline images may break; OWA Light becomes unusable; cosmetic status bugs can show “Mitigation invalid” despite proper application.
Microsoft confirms active exploitation of CVE-2026-42897 in on-premises Exchange Server
Microsoft confirmed active exploitation of CVE-2026-42897, a zero-day in on-premises Exchange Server that lets attackers execute arbitrary JavaScript in a victim’s browser by sending a crafted email. No permanent patch exists. Microsoft deployed an emergency mitigation on May 14, and CISA added the flaw to its Known Exploited Vulnerabilities catalog the following day, requiring federal agencies to remediate by May 29. Exchange Online is not affected.
What the flaw does and who is affected
CVE-2026-42897 is a cross-site scripting flaw in the Outlook Web Access component of on-premises Microsoft Exchange Server, rated CVSS 8.1. An attacker sends a specially crafted email to a target. When the recipient opens it in OWA under certain interaction conditions, arbitrary JavaScript executes inside the browser session.
Microsoft classifies the vulnerability as a spoofing issue rooted in improper input neutralization during web page generation. The attack path does not require authentication or server access. It starts with an inbox.
Scope and immediate actions
The flaw hits on-prem Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition at any update level. Exchange Online is not vulnerable.
On-prem Exchange sits at the center of corporate email for governments, financial institutions, and enterprises that have not moved to the cloud. CISA’s Known Exploited Vulnerabilities catalog lists nearly two dozen Exchange Server flaws already, and ransomware groups have abused several of them to breach targets. CVE-2026-42897 arrived just two days after May’s Patch Tuesday, which patched 120 vulnerabilities but disclosed no zero-days in its release notes.
Mitigation steps taken by Microsoft
Microsoft deployed a temporary fix through its Exchange Emergency Mitigation Service, labeled M2.1.x. The EEMS applies the mitigation automatically via URL rewrite configuration on Exchange Mailbox servers where the service is enabled by default. Administrators can verify status using the Exchange Health Checker script at aka.ms/ExchangeHealthChecker.
For air-gapped or disconnected environments where EEMS cannot reach Microsoft’s servers, admins must manually download the latest Exchange On-premises Mitigation Tool and run it via an elevated Exchange Management Shell. The command targets a single server or can run across the full Exchange fleet at once.
Potential cosmetic and functional impacts
There is one cosmetic issue to be aware of. Some servers will show the mitigation status as “Mitigation invalid for this exchange version” in the description field. Microsoft confirms the fix is applied correctly in these cases if the status column reads “Applied”. The display text is a known cosmetic bug under investigation.
Applying the fix has functional consequences. The OWA Print Calendar feature stops working after the mitigation applies. Inline images no longer display correctly in recipients’ reading panes inside Outlook Web Access.
Interface changes and future fixes
OWA Light, the legacy interface accessed via a URL ending in /?layout=light, also stops functioning after the mitigation applies. Microsoft deprecated the interface years ago and does not consider it production-ready, but organizations still using it will need to route users through the standard OWA URL instead.
Microsoft is developing a permanent fix and has not confirmed a release timeline. When available, Exchange Server Subscription Edition will receive it through the standard update channel. Exchange Server 2016 and 2019 will only get the permanent patch through Microsoft’s Period 2 Extended Security Update program.
Coordinated response and ongoing exposure
Organizations running either older version without ESU enrollment will stay exposed until they apply the emergency mitigation manually. CISA added CVE-2026-42897 to the Known Exploited Vulnerabilities catalog on May 15 and requires Federal Civilian Executive Branch agencies to remediate by May 29. Microsoft has not identified the threat actors behind the active attacks or disclosed which organizations attackers targeted.
The timing of CVE-2026-42897 sits at the other end of the vulnerability lifecycle from proactive discovery. Microsoft’s MDASH AI model recently identified 16 critical Windows flaws before attackers could reach them, a detection approach that CVE-2026-42897 bypassed entirely.
