?? UPDATE (May 16, 2026): Since our earlier posts on this topic, CISA has officially added CVE-2026-42897 to its Known Exploited Vulnerabilities catalog, ordering federal agencies to apply mitigations by May 29, 2026. This post focuses on what that means for small businesses and walks you through exactly what to do.
If your business runs its own on-premises Microsoft Exchange Server, stop what you're doing and read this. A zero-day vulnerability is actively being used against Exchange servers right now — and the U.S. government just put a hard deadline on fixing it.
What's Happening
The Hacker News reports that Microsoft has confirmed active exploitation of a new security vulnerability tracked as CVE-2026-42897, which carries a CVSS score of 8.1. The flaw is a cross-site scripting (XSS) bug in Microsoft Exchange Server that allows an unauthorized attacker to perform spoofing over a network.
Here's the part that should get your attention: an attacker can exploit this vulnerability simply by sending a specially crafted email. If the recipient opens that email in Outlook Web Access (OWA) — the browser-based interface many businesses use to check email remotely — malicious JavaScript can execute in the browser under certain conditions. No additional software needed. No clicking a suspicious link. Just opening the email.
Help Net Security notes that Microsoft has not yet disclosed which specific "interaction conditions" are required for the attack to succeed, nor has it shared details about the in-the-wild attacks that have already been detected. That kind of silence from Microsoft is actually telling — it usually means they don't want to give attackers a roadmap while a permanent patch is still being developed.
Which Versions Are Affected
According to Help Net Security, the following on-premises Exchange Server versions are affected:
- Exchange Server 2016 (any update level)
- Exchange Server 2019 (any update level)
- Exchange Server Subscription Edition (SE) RTM (any update level)
Exchange Online (Microsoft 365) is NOT affected. If your business uses cloud-hosted Microsoft email through a Microsoft 365 subscription, you're in the clear on this one. This vulnerability is specific to organizations hosting their own Exchange servers.
Why This Is a Big Deal for Small Businesses
It might be tempting to think this is a "big enterprise problem," but that's exactly the kind of thinking attackers count on. Security Affairs explains it well: Exchange zero-days are dangerous because they sit at the center of corporate email — one of the most sensitive and widely used systems in any organization. Once attackers get into Exchange, they can:
- Read emails and attachments — including sensitive client communications, contracts, and financial records
- Steal credentials stored in or passed through email
- Reset passwords and move laterally into other systems on your network
- Maintain long-term, hidden access through mail rules and access tokens
And because many on-premises Exchange servers are internet-facing by design, there's no need for an attacker to be on your network first. They just need to send an email.
Security Affairs also notes that Exchange zero-days are frequently targeted in both cyber espionage campaigns and ransomware operations — because they provide high-value access with relatively low noise.
What CISA Is Saying
On May 15, 2026 — the same day Microsoft disclosed the vulnerability — The Hacker News confirmed that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) catalog. Federal civilian agencies have until May 29, 2026 to apply mitigations.
While that mandate technically applies to federal agencies, CISA consistently recommends that private organizations also review the KEV catalog and address listed vulnerabilities. When the government puts a hard deadline on something, that's a strong signal that the threat is real and active.
Step-by-Step: What Your Business Should Do Right Now
No permanent patch exists yet. Microsoft is working on one and says it will release updates for Exchange SE RTM, Exchange 2016 CU23, Exchange Server 2019 CU14 and CU15. In the meantime, here's how to apply the temporary mitigation:
Option 1: Exchange Emergency Mitigation Service (Easiest)
The Exchange Emergency Mitigation Service (EEMS) is built into Exchange Server and is enabled by default. If it's running, it will automatically apply the mitigation via a URL rewrite configuration — no manual steps required.
To verify it's working:
- Open the Windows Services panel on your Exchange server
- Look for the service called Microsoft Exchange Emergency Mitigation
- Confirm its status shows as Running
If the service is running, the mitigation should apply automatically. The Hacker News notes there's a known cosmetic display glitch where the mitigation may show "Mitigation invalid for this exchange version" in the description field — Microsoft has confirmed this is a display bug only. If the status shows "Applied," the mitigation is working correctly.
Option 2: Exchange On-Premises Mitigation Tool (For Air-Gapped or Offline Servers)
If your Exchange server isn't connected to the internet (common in high-security environments), you'll need to run the manual mitigation script:
Download the latest version of the Exchange on-premises Mitigation Tool (EOMT) from Microsoft's official repository
Open an elevated Exchange Management Shell (EMS) — run as administrator
Run one of the following commands:
- For a single server:
.\EOMT.ps1 -CVE "CVE-2026-42897" - For all servers at once (excluding Edge servers):
Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"
- For a single server:
Confirm the status shows "Applied" — again, ignore any cosmetic error in the Description field
After Applying the Mitigation
- Monitor Microsoft's Exchange Team blog for announcements about the permanent security update
- Warn your staff not to open unexpected emails, especially anything with links or attachments, even from known contacts — the attacker sends a crafted email, so user awareness matters
- Check whether OWA needs to be internet-facing — if employees only use OWA inside the office, restricting external access reduces your exposure significantly
Worth Noting: The Timing Is Suspicious
Security Affairs points out that this zero-day surfaced just two days after Microsoft's May 2026 Patch Tuesday, which addressed 138 other vulnerabilities. Attackers often watch Patch Tuesday releases closely and ramp up activity in the days that follow — either targeting newly disclosed flaws or, in this case, exploiting a separate issue that slipped through.
It's a reminder that patch management isn't a once-a-month task. The threat landscape moves faster than that.
Need Help?
If you're a Yuba City area business running on-premises Exchange and you're not sure whether your server is protected, or if you'd like someone to verify the mitigation was applied correctly, we're happy to take a look. Our business IT services include hands-on support for exactly these kinds of urgent situations. Give us a call at (530) 645-7007 during our regular hours, Monday through Friday, 9:30 AM to 5:00 PM.
The bottom line: if you're running Exchange 2016, 2019, or SE on your own hardware, apply the mitigation today. Don't wait for a permanent patch — attackers certainly aren't waiting.
