Microsoft Reports Severe Zero-Day Flaw in On-Prem Exchange Servers

Staff Editor 2026-05-15
Microsoft Reports Severe Zero-Day Flaw in On-Prem Exchange Servers

Microsoft Reports Severe Zero-Day Flaw in On-Prem Exchange Servers

https://www.infosecurity-magazine.com/news/microsoft-zeroday-exchange-servers/

Publish Date: 2026-05-15 08:35:00

Source Domain: www.infosecurity-magazine.com

Microsoft has warned of a high-severity zero-day vulnerability that could lead to an attacker sending arbitrary code to a victim by sending a specially crafted email to an Outlook user.

The flaw, tracked as CVE-2026-42897, is due to an improper neutralization of input during web page generation – also called cross-site scripting (XSS) – in Microsoft Exchange Server that allows an unauthorized attacker to perform spoofing over a network.

This high-severity vulnerability (CVSS rating of 8.1), disclosed by the tech giant on May 14, is affecting some on-premises Exchange Server versions:

  • All existing Exchange Server 2016 versions
  • All existing Exchange Server 2019 versions
  • All existing Exchange Server Subscription Edition (SE) versions

It does not impact Exchange Online.

Temporary Fixes Available While Patch Is in Development

Microsoft has not yet released a patch for this vulnerability.

However, in a security advisory published on May 14, the Exchange Team shared two approaches security teams can take to mitigate the impact of potential exploits of this vulnerability before patches are available.

The first option, which Microsoft recommends, uses the Exchange Emergency Mitigation (EM) Service.

If the EM Service is enabled, which it is by default, the mitigation has already been automatically applied.

Administrators can verify this by:

  • Checking the applied mitigations for CVE-2026-42897 (M2.1.x) through the documentation
  • Running the Exchange Health Checker script to quickly check the status of EM Service and applied mitigations
  • Enabling the EM Service if it is currently disabled, as Microsoft strongly recommends doing so

Note that servers running versions older than March 2023 cannot receive new mitigations through this service.

The second mitigation option is intended for environments unable to use the EM Service, such as disconnected or air-gapped environments.

Administrators can manually apply the mitigation by:

  • Downloading the…

Source

More Stories

Project Glasswing: Key cybersecurity agencies set to get access to Anthropic’s Mythos | Business News

Project Glasswing: Key cybersecurity agencies set to get access to Anthropic’s Mythos | Business News

Staff Editor 2026-06-06
Did Insight’s New AI Cybersecurity Service and Credit Tweaks Just Reframe Insight Enterprises’ (NSIT) Growth Story?

Did Insight’s New AI Cybersecurity Service and Credit Tweaks Just Reframe Insight Enterprises’ (NSIT) Growth Story?

Staff Editor 2026-06-06
OpenAI Introduces Lockdown Mode To Combat AI Data Exfiltration Risks Amid Growing Prompt Injection Threats

OpenAI Introduces Lockdown Mode To Combat AI Data Exfiltration Risks Amid Growing Prompt Injection Threats

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy