Microsoft recently disclosed a high-severity vulnerability in Exchange Server (CVE-2026-42897) on May 14, 2026 which affects on-premises Exchange environments and is currently under active exploitation. Organizations having workloads completely in Exchange Online are not impacted by this vulnerability.
Understanding CVE-2026-42897 Vulnerability
The vulnerability is exploited when a user opens a specially crafted email in Outlook Web Access (OWA). If successfully exploited, attackers can execute arbitrary JavaScript in the user's browser session, potentially leading to session hijacking, credential theft, and spoofed communications.
Impacted Versions: Exchange Server 2016, 2019, and Subscription Edition (SE). Exchange Online is NOT impacted.
Mitigation Options:
Option 1: Exchange Emergency Mitigation (Recommended)
The Exchange Emergency Mitigation (EM) Service provides automatic protection against this vulnerability. The mitigation is automatically applied if the EM Service is enabled (enabled by default since September 2021). Administrators can verify mitigation using the Exchange Health Checker script.
Option 2: Manual Mitigation Using EOMT
For environments where EM Service cannot be used, download the Exchange On-Premises Mitigation Tool from https://aka.ms/UnifiedEOMT and run the following from Exchange Management Shell:
Single server:
.\EOMT.ps1 -CVE "CVE-2026-42897"
All servers:
Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"
Important Note:
Microsoft is actively working on a security patch to resolve this vulnerability for the impacted versions of Exchange Server. Meanwhile, organizations are requested to perform the emergency mitigation as a temporary workaround. Administrators should note that this temporary workaround comes with certain "Known Issues" in Exchange On-Premises OWA. For more details, please visit https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498
Conclusion
Helient strongly recommends customers immediately review their Exchange Server environments for exposure to CVE-2026-42897 and enable the appropriate mitigation. Given the active exploitation and high severity, a rapid response and validation approach is critical. Organizations should prioritize long-term migration to Exchange Online to reduce reliance on on-premises infrastructure. If you would like more information or assistance in securing your Exchange environment, please contact our industry-leading experts at service@helient.com.
1 minute read
