Microsoft Issues Emergency Mitigation for Critical Exchange Server Flaw CVE-2026-42897

Microsoft has issued a cautionary advisory regarding a novel vulnerability within Exchange Server, one that facilitates the execution of malicious code via a standard email within the Outlook web interface. To orchestrate this attack, an adversary need only dispatch a meticulously crafted message and wait for the recipient to open the correspondence within Outlook Web Access.

Designated as CVE-2026-42897, this structural flaw afflicts on-premises iterations of Exchange Server 2016, 2019, and the Subscription Edition (SE), irrespective of their current update state. The cloud-based Exchange Online environment remains entirely unscathed. Upon the victim’s opening of the email in Outlook Web Access, the interloper can precipitate the execution of arbitrary JavaScript code directly within the host’s browser. While the exploit inherently necessitates specific user interactions, Microsoft has thus far withheld the granular technical specifics.

The corporation has proactively deployed a provisional defense mechanism via the Exchange Emergency Mitigation Service. This protective measure is autonomously engaged across Exchange 2016, 2019, and SE servers, provided administrators have not previously disabled the emergency mitigation functionality. Microsoft fervently advises enterprises with this feature currently deactivated to reinstate it with the utmost urgency.

To accommodate isolated infrastructures and air-gapped networks devoid of internet connectivity, the corporation has engineered a bespoke protocol utilizing the Exchange On-Premises Mitigation Tool. This script empowers administrators to enforce the protective paradigm either on an individual server or uniformly across the organization’s entire fleet of Exchange servers.

Following the implementation of these safeguards, Microsoft cautions that several operational anomalies may emerge. Within Outlook Web Access, calendar printing capabilities may be rendered non-functional, embedded imagery within emails might display improperly, and the streamlined iteration of OWA (utilizing the layout=light parameter) may exhibit erratic behavior. Furthermore, system administrators might encounter spurious alerts triggered by internal Exchange monitoring apparatuses.

The enterprise has confirmed that a comprehensive, definitive patch is currently under active development. Security updates are slated for deployment across Exchange SE RTM, Exchange 2016 CU23, and Exchange 2019 CU14/CU15. Crucially, remediations for the 2016 and 2019 architectures will be exclusively provisioned to clientele enrolled in the second phase of the Extended Security Updates (ESU) program, as the initial phase formally concluded in April 2026.