Microsoft Exchange zero‑day (CVE‑2026‑42897) actively exploited, emergency mitigations issued
Microsoft disclosed a high‑severity zero‑day vulnerability (CVE‑2026‑42897) in on‑premises Exchange Server 2016, 2019 and Subscription Edition. The flaw is a cross‑site scripting issue in Outlook Web Access that can execute arbitrary JavaScript when a specially crafted email is opened, allowing attackers to take control of a user's browser session.
The vulnerability is already being exploited in the wild. CISA added it to its Known Exploited Vulnerabilities catalog on May 15 and set a remediation deadline of May 29 for U.S. Federal Civilian Executive Branch agencies, urging all organizations to apply mitigations. Microsoft has released a temporary Emergency Mitigation Service (EM Service), enabled by default on most Exchange servers, and advises administrators to verify its operation with the Exchange Health Checker script. A full security update is in development. The issue does not affect Exchange Online.
Security analysts note that this active exploitation underscores the urgency for enterprises running on‑premises Exchange to apply the mitigation and plan for the forthcoming patch.