Microsoft has recently revealed a critical security vulnerability affecting on-premise Exchange Server versions. This flaw, identified as CVE-2026-42897 with a CVSS score of 8.1, has been actively exploited, posing significant risks to users. The vulnerability stems from a cross-site scripting issue, allowing unauthorized attackers to perform spoofing attacks over networks.
Details of the Vulnerability
The security flaw was discovered by an anonymous researcher and has been characterized as a spoofing bug. Improper neutralization of input during the generation of web pages in Microsoft Exchange Server enables attackers to execute arbitrary JavaScript code. This occurs when a crafted email is opened in Outlook Web Access under specific conditions.
Microsoft has tagged this vulnerability with an ‘Exploitation Detected’ label, signifying active attempts to exploit the flaw. The company advises users to be vigilant and to apply recommended mitigations promptly.
Mitigation Measures and Impact
In response, Microsoft has introduced a temporary solution via its Exchange Emergency Mitigation Service. This service automatically implements a URL rewrite configuration to mitigate the issue and is enabled by default. Users are encouraged to ensure this Windows service is active to protect their systems.
For those unable to use the mitigation service due to air-gap restrictions, Microsoft has provided alternative actions. These include downloading the latest Exchange on-premises Mitigation Tool and applying it either per server or across all servers using specific PowerShell commands.
Current Status and Recommendations
Exchange Online remains unaffected by this vulnerability, while the impacted versions include Exchange Server 2016, 2019, and the Subscription Edition. Microsoft has acknowledged a cosmetic issue where the mitigation status may appear incorrect, but assures users that the mitigation applies successfully.
As of now, details regarding the exploitation methods, the threat actors involved, or the extent of the attacks are unavailable. Consequently, Microsoft urges users to adopt the suggested mitigations to safeguard their systems.
While the company works on a permanent fix, staying informed and proactive is crucial for users of affected Exchange Server versions to maintain security and integrity.
