On-Prem Exchange Exploit Targets Crafted Emails With CVE-2026-42897
Microsoft warns that on-premises Exchange Server is being actively exploited for CVE-2026-42897, a cross-site scripting spoofing flaw that can let an attacker run arbitrary JavaScript when a user opens a crafted email in Outlook Web Access under certain interactions; affected products are Exchange 2016, 2019, and SE (any update), while Exchange Online is not impacted. Mitigations are provided via the Exchange Emergency Mitigation Service (URL rewrite) and the on-prem EOMT tool for manual deployment; air-gapped environments can apply the per-server or all-servers script. A cosmetic issue may show 'Mitigation invalid for this exchange version' but the mitigation is still applicable. No details on who is exploiting or the scope are available; admins are advised to apply the mitigations promptly.