Microsoft said on Thursday that attackers are actively exploiting a spoofing vulnerability in on-premises Exchange Server editions, a flaw tracked as CVE-2026-42897 with a CVSS score of 8.1 and affecting Exchange Server 2016, 2019 and Subscription Edition.
KEY FACTS
- Bug type A spoofing issue tied to cross-site scripting
- Impact Crafted email could lead to arbitrary JavaScript execution in Outlook Web Access under certain conditions
- Scope Exchange Online is not affected
- Response Microsoft is using the Exchange Emergency Mitigation Service and plans a permanent fix
A Microsoft security advisory said an unauthorized attacker could use the flaw over a network after sending a crafted email that a user opens in Outlook Web Access. The company said exploitation requires certain interaction conditions.
The temporary mitigation is available through the Exchange Emergency Mitigation Service, which applies a URL rewrite configuration and is enabled by default. If that service is not an option because of air-gap restrictions, Microsoft outlined steps using the on-premises Mitigation Tool on a per-server basis or across all non-Edge servers.
The disclosure said the company is aware of a cosmetic issue in which the mitigation may show the message “Mitigation invalid for this exchange version” even when it has been applied successfully. Microsoft said it is investigating the issue.
No details were provided on how the vulnerability is being exploited, who is behind the activity, or whether any attacks succeeded. The disclosure also did not identify the targets or the scale of the campaign.
WHY IT MATTERS
The flaw affects widely used on-premises Exchange Server deployments, which can expose organizations that manage their own mail systems. Microsoft said Exchange Online is not impacted, and it urged administrators to apply the mitigations while a permanent fix is being prepared.