Microsoft has issued an urgent alert concerning a critical vulnerability identified in its Exchange Server platform, with active exploitation reported. Known as CVE-2026-42897, this flaw holds a significant CVSS 3.1 severity score of 8.1, posing a serious risk to on-premises email systems.
Exploitation and Impact on Systems
The vulnerability, which affects the Microsoft Exchange Outlook Web Access service, is currently being exploited by threat actors. These attacks compromise systems before a permanent fix is available, prompting immediate action from system administrators to implement temporary defenses.
It’s important to note that cloud-based Microsoft Exchange Online services are not affected by this vulnerability, as the threat vector is exclusive to on-premises deployments.
Technical Details of the Vulnerability
The core of the attack stems from improper input neutralization during web page generation, classified as a cross-site scripting vulnerability. This flaw can be exploited by sending a specially crafted email to a user, whereupon interaction with the email in Outlook Web Access allows for arbitrary JavaScript execution in the browser.
This issue impacts Exchange Server versions 2016, 2019, and the Subscription Edition, making it a potent tool for cybercriminals aiming to hijack user sessions or manipulate browser data without needing administrative access.
Mitigation and Future Updates
Microsoft has introduced temporary mitigation through the Exchange Emergency Mitigation Service for users with this default service activated. This automated protection, labeled as M2.1.x, shields vulnerable environments until a permanent solution is ready.
Administrators in isolated networks must manually apply the mitigation tool for on-premises setups. However, this interim solution may cause minor disruptions, such as issues with the Print Calendar function in Outlook Web Access or improper inline image displays.
Despite these minor issues, maintaining the mitigation is crucial for security. Microsoft is finalizing a comprehensive update, with a public release planned for the Exchange Server Subscription Edition. Older versions like Exchange 2016 and 2019 will receive updates only for customers in the Extended Security Update program.
Organizations are encouraged to upgrade their infrastructure to the latest cumulative updates to ensure compatibility with forthcoming patches. For ongoing updates, follow us on Google News, LinkedIn, and X.
