Microsoft has disclosed a new security vulnerability affecting the on-premises version of Exchange Server and announced that it is being exploited in the wild.
The vulnerability is tracked as CVE-2026-42897 (CVSS score: 8.1) and is described as a spoofing bug due to a cross-site scripting flaw. An anonymous researcher is credited with discovering and reporting this issue.
“Inappropriate neutralization of input during web page generation (‘cross-site scripting’) in Microsoft Exchange Server could allow an unauthorized attacker to perform spoofing on your network,” the tech giant said in an advisory Thursday.
Microsoft, which has rated the vulnerability as “Exploit Detected,” said that an attacker could weaponize the vulnerability by sending a crafted email to a user, which, if opened in Outlook Web Access and subject to other “specific interaction conditions,” could result in arbitrary JavaScript code being executed in the context of the web browser.
Redmond also noted that while it provides temporary mitigation through the Exchange Emergency Mitigation Service, it is preparing permanent fixes for the security flaws.
Exchange Emergency Mitigation Service automatically provides mitigation through URL rewriting configuration and is enabled by default. Since it is not turned on, we recommend that you enable Windows Services.
According to Microsoft, Exchange Online is not affected by this vulnerability. The following on-premises Exchange Server versions are affected:
Exchange Server 2016 (any update level) Exchange Server 2019 (any update level) Exchange Server Subscription Edition (SE) (any update level)
If using the Exchange Emergency Mitigation Service is not an option due to air-gap limitations, the company outlines the next course of action.
Download the latest version of Exchange On-Premises Mitigation Tools (EOMT) from alias.[.]Milliseconds/UnifiedEOMT. Apply the mitigation on a server-by-server basis, or run a script through an elevated Exchange Management Shell (EMS) to apply the mitigation on all servers at once. Single server: .\EOMT.ps1 -CVE “CVE-2026-42897” All servers: Get-ExchangeServer | Where-Object { $_.ServerRole -ne “Edge” } | .\EOMT.ps1 -CVE “CVE-2026-42897”
Microsoft said it is also aware of a known issue where the mitigation description field displays “Mitigation is disabled for this Exchange version.” “This issue is cosmetic and the mitigation will be applied successfully if the status shows ‘Applied’,” the Exchange team said. “We are considering ways to respond.”
At this time, details about how this vulnerability is exploited, the identity of the threat actor behind the activity, or its scale are unknown. It’s also unclear who the targets were and whether those attacks were successful. In the meantime, we recommend applying the mitigations recommended by Microsoft.
Source link
