Microsoft Reports Severe Zero-Day Flaw in On-Prem Exchange Servers

Microsoft Reports Severe Zero-Day Flaw in On-Prem Exchange Servers

https://www.infosecurity-magazine.com/news/microsoft-zeroday-exchange-servers/

Publish Date: 2026-05-15 07:35:00

Source Domain: www.infosecurity-magazine.com

Summary:

Microsoft has disclosed a high-severity zero-day vulnerability tracked as CVE-2026-42897 in several on-premises versions of Exchange Server which allows attackers to execute arbitrary code via specially crafted emails. Rated with a CVSS score of 8.1, this issue arises from an improper neutralization of input during web page generation, essentially an XSS flaw, potentially enabling spoofing over networks. Affected are Exchange Server 2016, 2019, and Subscription Edition versions, while the online version Exchange Online remains unaffected. Microsoft has not issued a patch yet but has provided two temporary fixes through the Exchange Emergency Mitigation Service and the Exchange On-premises Mitigation Tool. These fixes come with certain operational caveats but remain crucial until patches are finalized, with updates planned for affected server versions under specific conditions.

Key Points:

• Microsoft disclosed a high-severity zero-day vulnerability in on-premises Exchange Server versions, affecting Exchange 2016, 2019, and Subscription Edition.
• The vulnerability, CVE-2026-42897, enables cross-site scripting (XSS) attacks and scores 8.1 on the CVSS scale.
• No patch is available yet, but temporary mitigations using the Exchange Emergency Mitigation Service or Exchange On-premises Mitigation Tool are available.
• Microsoft acknowledges that these mitigations could disable specific features.
• Updates for the affected server versions will be available either publicly or exclusively to certain customers as per their ESU program.