Microsoft has revealed an actively exploited high-severity vulnerability in on-premises Exchange Server versions. CVE-2026-42897, a spoofing flaw triggered via crafted emails, enables threat actors to run arbitrary scripts within Outlook Web Access browsers, exposing enterprises to identity, phishing, and malware risks.
- CVE-2026-42897 enables cross-site scripting via crafted email in Exchange Web Access
- Active exploitation detected affecting multiple on-prem Exchange Server versions
- Emergency mitigation service available; permanent patch forthcoming
Threat signal
The vulnerability CVE-2026-42897 introduces a cross-site scripting (XSS) flaw that enables spoofing attacks through maliciously crafted emails. When these emails are opened in Outlook Web Access under specific conditions, attackers can execute arbitrary JavaScript within the context of the user's browser session. This creates opportunities for identity spoofing, session hijacking, or further malware delivery.
Microsoft confirmed active exploitation in the wild, elevating the urgency for organizations managing on-premises Exchange servers to respond. While the full scope of targeted victims or details about actor profiles remain unconfirmed, the presence of exploitation signals an evolving threat landscape leveraging email platforms to bypass traditional endpoint defenses.
Operator exposure
Enterprises running affected on-prem Exchange Server versions are at heightened risk of credential theft, phishing vector expansion, and broader compromise from this XSS vulnerability. The exploit leverages native web client behavior (Outlook Web Access), increasing the attack surface beyond standard perimeter security controls.
Microsoft does not consider Exchange Online vulnerable, isolating risk primarily to air-gapped or legacy on-prem Exchange deployments. Operators should assess whether environmental or security constraints limit deploying the Exchange Emergency Mitigation Service, which applies automatic URL rewrite rules designed to block exploit conditions while awaiting full patch availability.
What teams should watch
Security and IT operations teams must prioritize verifying the activation status of the Exchange Emergency Mitigation Service, enabling it manually if disabled. Teams must also monitor for cosmetic system messages indicating mitigation status, understanding that 'Mitigation invalid for this exchange version' is a false alarm when marked as 'Applied'.
Continuous vigilance on incoming email patterns and user reports of unusual browser or session behavior is advised given the exploit’s use of client-side scripting. Parallel preparation for the forthcoming permanent patch should be integrated into update cycles. Additionally, teams managing hybrid environments should verify that Exchange Online remains segregated from affected on-prem components to avoid downstream risk.