CVE-2026-42897: Microsoft Exchange Zero-Day Is Being Exploited Right Now
A crafted email is all it takes. Open it in Outlook Web Access and an attacker runs JavaScript in your browser. No patch yet. Here's what to do if you run Exchange on-prem.
Open an email. Get owned. That's it.
CVE-2026-42897. CVSS 8.1. Microsoft Exchange Server. Actively exploited in the wild. No permanent patch available.
An attacker sends a specially crafted email to someone at your organization. That person opens the email in Outlook Web Access (OWA). Under certain interaction conditions, arbitrary JavaScript executes in their browser.
From there, the attacker can steal session tokens, access the victim's mailbox, impersonate them, read their email, send messages as them, and potentially pivot deeper into the network.
All because someone opened an email. In their work email client. Doing their job.
CISA added this to the Known Exploited Vulnerabilities catalog on May 15 and set a federal remediation deadline of May 29. That's a 14-day window. CISA doesn't move that fast unless the exploitation is real and widespread.
Who's affected.
On-premises Exchange Server only. Exchange 2016, Exchange 2019, and Exchange Subscription Edition RTM.
Exchange Online (Microsoft 365) is not affected. If your email is fully in the cloud through Microsoft 365, this specific CVE doesn't apply to you.
But if you're one of the many businesses still running an Exchange server in your office or data center, you're in the blast radius. And there are a lot of you. Despite Microsoft's push to the cloud, tens of thousands of organizations worldwide still run on-prem Exchange.
Why Exchange keeps getting hit.
This isn't the first Exchange zero-day. It's not the fifth. Exchange Server has been a magnet for critical vulnerabilities for years:
- ProxyLogon (2021): Remote code execution exploited by Hafnium. Estimated 250,000 servers compromised globally before patches were available.
- ProxyShell (2021): Another RCE chain exploited in the wild.
- ProxyNotShell (2022): Yet another. Exploited for months before a patch.
- Now CVE-2026-42897: Cross-site scripting through crafted email in OWA.
There's a pattern here. Exchange is a massive, complex piece of software with a huge attack surface. It handles email (the #1 attack vector), it's internet-facing (by design), and it runs with significant privileges on your network. Every vulnerability in Exchange is a high-value target because compromising it gives attackers access to every email in your organization.
If you're still running Exchange on-prem, you need to have a serious conversation about whether that's the right decision for your business.
What to do right now.
If you have the Exchange Emergency Mitigation Service enabled:
Microsoft deployed an automatic mitigation on May 14. If EM Service is enabled on your Exchange server (it is by default on recent cumulative updates), the mitigation should already be applied. Verify by checking the Exchange Management Shell.
If you don't have EM Service or aren't sure:
Contact your IT provider immediately and ask them to verify. If they don't know what the Exchange Emergency Mitigation Service is, that's a problem.
Practical steps:
1. Restrict OWA access. If your users can access email through a web browser (Outlook Web Access), consider restricting access to internal network only or disabling OWA temporarily until a permanent patch is available. Users can still access email through the Outlook desktop client.
2. Implement web application firewall rules. WAF rules can filter the crafted email headers and content that trigger the exploit. This isn't a fix but it reduces the attack surface.
3. Monitor for indicators of compromise. Watch Exchange server logs for unusual OWA activity, unexpected JavaScript execution, session token theft, or email rules being created on user mailboxes (a common persistence technique after email compromise).
4. Seriously evaluate moving to Exchange Online. I know migration is painful. I know it costs money. I know there are reasons you're still on-prem. But how many Exchange zero-days does it take before the risk of staying on-prem exceeds the cost of migrating?
When your email server is in the cloud, Microsoft patches it. When it's in your server room, you patch it. And when a zero-day drops with no patch available, you're the one scrambling while Microsoft works on a fix.
The on-prem email question.
Every time I walk into a small business that's running Exchange on-prem, I ask the same question: why?
Usually the answer is one of:
- "It's what we've always used."
- "We're worried about data in the cloud."
- "The migration seems expensive."
- "Our IT guy set it up and nobody wants to touch it."
All understandable. But let me reframe it.
You're running a piece of software that requires constant patching, handles the most sensitive communications in your business, is directly exposed to the internet, has a history of critical zero-day vulnerabilities, and is currently being actively exploited with no permanent fix available.
Microsoft has a team of thousands dedicated to securing Exchange Online. Your on-prem Exchange server has... your IT guy. Who also manages the printers and the Wi-Fi and twelve other things.
That's not a knock on your IT person. It's a statement about the math. The attack surface of an internet-facing Exchange server requires more security attention than most small businesses can provide.
If a migration conversation sounds useful, we can help you scope it. What it would cost, how long it would take, what the risks are during transition, and whether it makes sense for your specific situation. No pressure. Just math.
(773) 417-9994 or southsidechisolutions.com