Microsoft has disclosed a newly identified security vulnerability affecting on premises Exchange Server deployments that is currently being exploited in active attacks. The vulnerability, tracked as CVE 2026 42897, carries a CVSS severity score of 8.1 and has been described as a spoofing flaw linked to a cross site scripting issue within Microsoft Exchange Server. According to the company, the issue was reported by an anonymous security researcher and impacts multiple on premises Exchange Server environments, including Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition across all update levels.
Microsoft stated that the vulnerability stems from improper neutralization of user input during web page generation, which creates conditions for cross site scripting attacks. The company explained that attackers can exploit the flaw by sending specially crafted emails to targeted users. If the recipient opens the malicious email through Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript code can execute within the context of the victim’s web browser. Security analysts noted that this type of browser based code execution could potentially expose sensitive session information or enable additional malicious activity through spoofed web interactions.
The company confirmed that active exploitation has already been detected in the wild, although it has not publicly disclosed details regarding the threat actors involved, the scale of the attacks, or the industries and organizations targeted. Microsoft also stated that there is currently no indication that Exchange Online services are impacted by the vulnerability, limiting exposure primarily to organizations operating on premises Exchange environments. As part of its response, Microsoft has deployed temporary mitigation measures through the Exchange Emergency Mitigation Service, which automatically applies protection using a URL rewrite configuration. The mitigation service is enabled by default, though organizations that have disabled the Windows service have been advised to reactivate it immediately to ensure the protections are applied.
For organizations operating in air gapped environments where the Exchange Emergency Mitigation Service cannot be used, Microsoft has recommended manually applying protections through the Exchange on premises Mitigation Tool. The company instructed administrators to download the latest version of the tool from Microsoft Unified EOMT Download Page and execute mitigation scripts either on individual Exchange servers or across multiple systems simultaneously using Exchange Management Shell commands. Microsoft also acknowledged reports of a cosmetic issue where some systems display the message “Mitigation invalid for this exchange version” within the description field even when the mitigation has been successfully applied. According to the Exchange Team, administrators should verify whether the status appears as “Applied,” which confirms the mitigation is functioning correctly despite the incorrect warning message.
Cybersecurity experts noted that vulnerabilities involving Outlook Web Access remain particularly concerning because email based attacks continue to serve as a common entry point for enterprise compromises. Since many organizations still maintain hybrid or fully on premises Exchange deployments, rapid mitigation and monitoring remain essential to reduce potential exposure. Microsoft said it is currently preparing a permanent security update to address CVE 2026 42897 while continuing to investigate the active exploitation activity associated with the flaw.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
