Critical alert: CVE-2026-42897 allows spoofing in Exchange Server on-premises using XSS

Microsoft has confirmed critical vulnerability in on-premises versions of Exchange Server, registered as CVE-2026-42897 which is being actively exploited in real environments. This is a type of failure. cross-site scribing (XSS) that allows spoofing: an attacker can send a specially crafted mail that, if the recipient opens it in Outlook Web Access (OWA) and performs certain interactions, allows arbitrary JavaScript to be executed in the context of the user's browser.

The nature of this failure makes it particularly dangerous in combination with social engineering techniques: the initial vector does not require committed credentials or prior access to the server, it is enough for the target user to visualize or interact with the message in OWA. Although Microsoft has assigned a high CVSS (8.1) and marked the incidence as "Exploitation Detected," forensic details about the actor, campaigns or scale of intrusions have not yet been published, which complicates the attribution and actual extent of the damage.

It is important to stress that Exchange Online is not affected but the local facilities of Exchange Server 2016, 2019 and Subscription Edition are at any level of update. Microsoft has enabled automatic temporary mitigation through its Exchange Emergency Mitigation Service (EEMS); administrators can consult the official documentation at the EEMS page to confirm the status and configuration of that service.

For environments isolated by air-gap policies or unable to use automatic mitigation, Microsoft has published the Exchange On-premises Mitigation Tool (EOMT). The official short link is https: / / aka.ms / UnifiedEOMT, and the typical execution to apply the mitigation would be, for example, to run.\ EOMT.ps1 -CVE "CVE-2026-42897" in a raised Exchange Management Shell or use a command that runs through servers with Get-ExchangeServer to apply it to all.

Beyond applying the mitigation provided, organizations should assume that OWA exposure increases the risk: review and enable automatic mitigation (EEMS) and confirm that the corresponding Windows service is running, or apply EOMT if the network is disconnected. Meanwhile, reduce the attack surface by limiting external access to OWA through access control lists, virtual private networks, or a WAF with rules to block suspicious payloads, and force multifactor authentication for web access where possible.

In addition to containment measures, it incorporates detection and response tasks: inspect records of OWA and the Exchange server in search of unusual access, header or parameters containing scripts, and pivote in mailboxes that could receive suspicious emails. If there is a suspicion of exploitation, preserve evidence, isolate the affected servers and contact the internal support and response team or Microsoft to coordinate the investigation.

The prolonged exposure of on-premises servers without patches or modern mitigations makes this type of vulnerability a disproportionate impact. As a security practice, plan to apply the final patch as soon as Microsoft publishes it, review the architecture to reduce critical units in exposed services and update incident response processes to cover web-based and spoofing-based attacks.

To stay informed and obtain specific instructions for the application of mitigation and patches, see the official Microsoft sources and vulnerability response documentation: EEMS and EOMT (mitigation tool). It is also recommended to subscribe to security bulletins and Vulnerability Intelligence Feeds for additional updates and technical details.

If you administer an affected Exchange server, act with priority: apply appropriate mitigation now, monitor engagement evidence and prepare to deploy the permanent patch as soon as it is available. Coordination between IT, security and internal communication teams is key to minimizing risk and containing possible campaigns for its users.