It’s been something of a rough few days for Microsoft Exchange on the security vulnerability front. A zero-day being demonstrated at the Pwn2Own Berlin hacking event, which has been responsibly disclosed and not released into the wild. Definitely already out there, and under active exploitation according to the U.S. Cybersecurity and Infrastructure Security Agency, another Exchange zero-day, confirmed by Microsoft on May 14. CISA added the CVE-2026-42897 vulnerability to its Known Exploited Vulnerabilities Catalog on May 15, urging all organizations to prioritize timely remediation as the attack vector poses a significant risk. Here’s what you need to know.

The Microsoft Exchange CVE-2026-42897 Zero-Day Explained

Microsoft disclosed CVE-2026-42897 on May 14, describing the zero-day as a Microsoft Exchange Server spoofing vulnerability. Technically speaking, the vulnerability occurs when an improper neutralization of input during web page generation, or a cross-site scripting attack if you prefer, enables an attacker to perform spoofing over the network. All it takes to exploit this is to send a maliciously crafted email, which, when opened in Outlook Web Access, can execute arbitrary JavaScript in the context of the browser.

"The disclosure of CVE-2026-42897 is a reminder that on-premises Exchange remains the most targeted piece of real estate in the enterprise stack,” Damon Small, a director at Xcape, Inc., said, adding that “this zero-day allows unauthenticated remote code execution, effectively granting attackers a direct path to the heart of corporate identity and communications.”

Exchange Online is not impacted by the zero-day, but the following on-premises Exchange Server versions are:

  • Exchange Server 2016 (any update level)
  • Exchange Server 2019 (any update level)
  • Exchange Server Subscription Edition (SE) (any update level)

Microsoft has recommended mitigation via the Exchange Emergency Mitigation Service as the patch has already been published through it. “Using EM Service is the best way for your organization to mitigate this vulnerability right away,” Microsoft said; “If you have EM Service currently disabled, we recommend you enable it right away.”

The priority must be immediate validation that the EM Service is actually functional and applying the necessary URI blocks, Small said, “as a single misconfigured server can serve as the beachhead for a full domain compromise.” Small also warned that this incident must accelerate the move from Exchange Server to Microsoft Exchange Online or, “at the very least, to isolate these servers behind a zero-trust gateway.”