On May 14, 2026, Microsoft issued an urgent security warning regarding an unpatched, critical zero-day vulnerability in Exchange Server that threat actors are actively exploiting in the wild.
Tracked as CVE-2026-42897, this network-based spoofing flaw carries a high CVSS 3.1 severity score of 8.1. Because the security defect is under active exploit before a permanent software patch has been finalized, server administrators must immediately verify that automated defensive workarounds are functional.
The exposure is restricted entirely to on-premises deployments—including enterprise hybrid setups. Organizations using cloud-hosted Exchange Online are completely unaffected and require no customer action.
The Technical Breakdown: OWA Session Hijacking
The threat vector targets the Outlook Web Access (OWA) interface. At its core, the bug is a Cross-Site Scripting (XSS) weakness stemming from improper input neutralization during web page generation.
The Attack Vector:
- The Delivery: An unauthenticated attacker sends a specially crafted email directly to an internal corporate user.
- The Execution: If the recipient opens the malicious message using OWA in their web browser (under certain specific interaction conditions), the payload executes seamlessly.
- The Takeover: The flaw allows arbitrary JavaScript to run within the user’s browser context.
Because this requires no administrative privileges and features low attack complexity, attackers are actively using it to bypass security boundaries, hijack active user sessions, and read or manipulate localized web browser data.
The flaw impacts multiple versions of the on-premises platform across all update levels:
- Exchange Server 2016
- Exchange Server 2019
- Exchange Server Subscription Edition (SE) RTM
Immediate Action: Verifying the “M2” Emergency Mitigation
Since a permanent security update is still undergoing QA testing, Microsoft has pushed an interim block through the automated cloud-connected Exchange Emergency Mitigation Service (EEMS).
For standard connected environments, the dynamic URL-Rewrite rule, designated as Mitigation ID: M2.1.x (or simply M2), is applied automatically.
How to Verify Your Servers are Safe:
Open the Exchange Management Shell (EMS) or deploy the official Exchange Health Checker script to inspect applied mitigations.
PowerShell
# Run this on your mailbox servers to check mitigation status
Get-ExchangeServer | Format-List Name, MitigationsApplied
Important Cosmetic Bug Note: Microsoft has confirmed a known bug where the EEMS management console displays the warning: “Mitigation invalid for this exchange version.” Engineers state this is purely cosmetic. If the server status shows “Applied”, the network-level block is successfully protecting your environment.
Air-Gapped and Disconnected Networks:
If your environment does not have direct outbound HTTPS traffic to the Office Config Endpoint, you must secure your perimeter manually. Download the latest Exchange On-Premises Mitigation Tool (EOMT.ps1) script from the official CSS-Exchange repository and run it via an elevated shell:
PowerShell
# Manually apply the CVE block across all non-edge infrastructure
Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"
Known Operational Side Effects
Applying the emergency mitigation introduces minor operational disruptions that internal helpdesks must prepare for:
- OWA Print Calendar Defect: The print calendar functionality within web mail will fail. Affected users must utilize the Outlook desktop client or capture manual screenshots.
- Broken Inline Images: Images embedded directly into the reading pane may fail to display correctly. Users must use desktop applications or request senders attach images as direct files.
Despite these functional inconveniences, security analysts strongly advise leaving the automated mitigation active.
Looking Forward: Patch Limitations
When Microsoft completes the official software update, the distribution model will require careful attention. A permanent patch will be publicly available for the new Exchange Server Subscription Edition.
However, patches for older platforms—Exchange 2016 and Exchange 2019—will be strictly restricted to enterprise clients actively enrolled in the paid Period 2 Exchange Server Extended Security Update (ESU) program. IT managers running legacy cumulative updates are encouraged to upgrade their underlying infrastructure immediately to ensure patch compatibility.
