Microsoft disclosed a new on-premises Exchange Server vulnerability, CVE-2026-42897, a cross-site scripting spoofing flaw that can let an attacker run arbitrary JavaScript in a user’s browser after a crafted email and certain Outlook Web Access interactions.

Mitigations should be applied now while a permanent patch is developed, with several mitigation options published by Microsoft; however, there are no public details on active exploitation pathways.

The vulnerability is being actively exploited in the wild and has a CVSS score of 8.1; it affects on-premises Exchange Server versions 2016, 2019, and SE, with Exchange Online remaining unaffected.

Microsoft has published dedicated blog posts and official pages detailing Emergency Mitigation Service guidance and planned fixes.

Older cumulative updates may need updating to enable mitigations, and customers are cautioned to enroll in the ESU program where applicable to receive future updates.

Administrators should enable the Emergency Mitigation Service (EEMS) immediately and, for air-gapped environments, use the Exchange On-Premises Mitigation Tool (EOMT) with specific PowerShell commands for single or multiple servers.

If EEMS cannot be used due to air-gap restrictions, follow per-server or all-servers mitigation steps via EOMT and PowerShell scripts provided by Microsoft.

CISA and NSA issued guidance to harden Exchange servers, following end-of-support dates for certain versions.

Security updates and patch activity across vendors continue to evolve, reflecting the broader cybersecurity landscape.

Administrators are urged to apply Microsoft’s temporary mitigations immediately to reduce exposure while a permanent fix is developed.

A permanent security update is forthcoming for Exchange SE RTM, 2016 CU23, and 2019 CU14/CU15, with ESU enrollment for 2016/2019 customers; public release limited to Exchange SE users, and 2016/2019 fixes tied to ESU Period 2.

The full security update will be released later, with access to the patch contingent on ESU enrollment for Exchange 2016 and 2019, and no extensions beyond ESU Period 2.