On-Premises Exchange Server Back in Focus with Active Zero-Day Exploited
CVE-2026-42897 allows execution of JavaScript via opened email in Outlook Web Access. CISA mandated remediation by 29 May. The flaw affects Exchange Server 2016, 2019, and Subscription Edition, but does not impact Exchange Online.
Microsoft confirmed this week the active exploitation of CVE-2026-42897, a cross-site scripting vulnerability in on-premises Exchange Server disclosed on 15 May. The flaw allows an attacker to send a specially crafted email that, when opened in Outlook Web Access under certain interactive conditions, executes arbitrary JavaScript in the victim's browser context.
The CVSS score is 8.1, classified as spoofing. CISA added the CVE to the Known Exploited Vulnerabilities catalog the day after its disclosure, with a deadline of 29 May for federal agencies to apply mitigations.
Who is Exposed
The vulnerability affects all currently supported on-premises versions: Exchange Server 2016, Exchange Server 2019, and the recently launched Subscription Edition. Exchange Online, hosted by Microsoft itself, is not affected. This distinction concentrates the risk on organisations that have maintained corporate email on their own infrastructure, often for reasons of sovereignty, cost, or regulatory requirements.
The definitive fix has not yet been published. Microsoft recommends activating the Exchange Emergency Mitigation Service, which is enabled by default in updated installations, or manually applying the Exchange on-premises Mitigation Tool via PowerShell. Neither option removes the vulnerability; they merely reduce the attack surface until the official patch is released.
The Continuity of the On-Premises Exchange Problem
This instance reinforces a pattern observed since the Hafnium campaign in 2021: on-premises Exchange servers continue to be a primary target in espionage campaigns and targeted attacks. Microsoft has not disclosed the names of actors involved or the geography of the victims, a usual stance when offensive activity is still mapped.
For security teams within consultancies and corporate clients, the immediate operational question is whether temporary mitigations are indeed active across all servers. The longer-standing strategic question remains the same: does the cost-benefit equation of maintaining on-premises Exchange still hold in 2026, considering the history of critical zero-days in the product and the maturity of hosted offerings? Each wave like this pushes parts of the remaining market towards migration, and managed service providers have been taking advantage of these moments to accelerate transition projects.