Computer Works Computer Works
Call
Cybersecurity

Is Your Exchange Server Under Attack Right Now? Here's How to Check and What to Do

CVE-2026-42897 is a zero-day actively targeting on-premises Microsoft Exchange servers through Outlook Web Access. No patch exists yet — but mitigations do. Here's your step-by-step emergency guide.

Is Your Exchange Server Under Attack Right Now? Here's How to Check and What to Do

What's new since our earlier breaking-news report: Since we first flagged CVE-2026-42897, Microsoft has confirmed active in-the-wild exploitation, detailed the specific on-premises versions affected, and published two distinct mitigation paths — including an automatic fix for servers with the Exchange Emergency Mitigation Service already running. On top of that, day two of Pwn2Own Berlin 2026 produced an independent, $200,000 demonstration of Microsoft Exchange being compromised via a chained three-bug exploit, underscoring just how much elite research attention Exchange is drawing right now. If you run an on-premises Exchange server, this is the guide you need.

What Is CVE-2026-42897 and Why Does It Matter?

The Hacker News describes CVE-2026-42897 as a spoofing vulnerability rooted in a cross-site scripting (XSS) flaw — specifically, improper neutralization of input during web page generation in Microsoft Exchange Server. Microsoft has assigned it a CVSS score of 8.1, placing it firmly in the "high severity" range.

Here's the attack in plain English: A threat actor sends a specially crafted email to someone in your organization. If that person opens the email in Outlook Web Access (OWA) — the browser-based version of email access — and certain interaction conditions are met, arbitrary JavaScript executes inside the victim's browser session. From there, Security Affairs notes that attackers can access emails and attachments, steal credentials, reset passwords, move into other connected systems, and establish long-term access through mail rules or tokens.

Microsoft has confirmed it detected active exploitation in the wild but has not disclosed details about the attacks, the threat actors involved, or the scale of the activity.

Is Your Exchange Server Affected? Check Your Version Now

Help Net Security reports that the vulnerability affects the following on-premises Exchange Server versions:

  • Exchange Server 2016 (any update level)
  • Exchange Server 2019 (any update level)
  • Exchange Server Subscription Edition (SE) RTM (any update level)

Exchange Online is not affected. If your organization uses Microsoft 365 / Exchange Online exclusively, you can breathe easier — this one doesn't touch you.

If you're not sure which version you're running, open an Exchange Management Shell on your server and run:

Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersion

The output will tell you your version and cumulative update (CU) level. If you're running an older CU for Exchange 2016 or 2019, Microsoft's guidance is to update to a supported CU immediately before applying mitigations.

No Patch Yet — But Mitigations Are Available Right Now

There is currently no permanent security update for CVE-2026-42897. Microsoft is working on one and has said it will be released for Exchange SE RTM, Exchange 2016 CU23, and Exchange Server 2019 CU14 and CU15. Critically, Help Net Security notes that Exchange 2016 and 2019 updates will only be released to customers enrolled in the Period 2 Exchange Server ESU program.

In the meantime, Microsoft has provided two mitigation paths:

Option 1: Exchange Emergency Mitigation Service (Recommended)

The Exchange Emergency Mitigation Service (EEMS) is built into modern Exchange Server versions and is enabled by default. According to The Hacker News, if the service is enabled, the mitigation — a URL rewrite configuration — is applied automatically. You may already be protected without doing anything manually.

To verify the service is running:

  1. Open Windows Services (services.msc)
  2. Look for Microsoft Exchange Emergency Mitigation
  3. Confirm the status is Running

If it's not running, start it and set it to Automatic startup.

Known cosmetic issue: Microsoft has acknowledged that after the mitigation is applied, some servers may show "Mitigation invalid for this exchange version" in the Description field. Per the Exchange Team, this is a display bug only — if the status shows "Applied," the mitigation is active and working.

Option 2: Exchange On-Premises Mitigation Tool (EOMT)

For air-gapped environments or servers where EEMS isn't an option, The Hacker News outlines the manual approach:

  1. Download the latest Exchange on-premises Mitigation Tool (EOMT) from aka.ms/UnifiedEOMT
  2. Open an elevated Exchange Management Shell (EMS)
  3. Run the appropriate command:

Single server:

.\EOMT.ps1 -CVE "CVE-2026-42897"

All servers at once (excluding Edge transport):

Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"

Why Exchange Zero-Days Are Especially Dangerous

This isn't just another software bug. Security Affairs puts it well: Exchange servers sit at the center of corporate email — one of the most sensitive systems in any organization. Many on-premises deployments are internet-facing, which means attackers don't need a foothold inside your network first. A zero-day on an internet-exposed Exchange server is essentially an unlocked front door.

OWA makes the attack surface even broader. Because the exploit is triggered through a browser, it can be launched via a simple phishing-style email. Exchange zero-days are also a known favorite of ransomware groups and nation-state espionage operations, precisely because they offer high-value access with relatively low noise.

The Pwn2Own Factor: Exchange Is Under a Microscope

The timing couldn't be more telling. On the same day Microsoft disclosed active exploitation of CVE-2026-42897, day two of Pwn2Own Berlin 2026 saw researcher Orange Tsai of DEVCORE chain three separate bugs to achieve Remote Code Execution as SYSTEM on Microsoft Exchange — earning $200,000 and 20 Master of Pwn points in a full win. That brings the two-day Pwn2Own total to $908,750 across 39 unique vulnerabilities.

The Pwn2Own vulnerabilities are separate from CVE-2026-42897 and will be disclosed to Microsoft under a 90-day coordinated disclosure window. But the message is clear: right now, Exchange is one of the most intensively targeted and researched platforms on the planet.

What Yuba City Businesses Should Do Today

If your business runs an on-premises Exchange server, here's your action list:

  1. Confirm your Exchange version using the PowerShell command above
  2. Verify the Exchange Emergency Mitigation Service is running — this is your fastest protection
  3. If EEMS isn't available, download and run the EOMT script manually
  4. Watch for Microsoft's permanent patch and apply it as soon as it's released
  5. Audit OWA access — consider whether all users truly need browser-based email access from outside the network, or whether VPN-gated access is feasible

If you manage your own Exchange environment and you're unsure whether mitigations have been applied correctly, or if you'd just like a second set of eyes on your setup, we're happy to help at Computer Works. Our business IT services are designed for exactly these kinds of time-sensitive situations.

The flaw appeared just two days after Microsoft's May 2026 Patch Tuesday, which fixed 138 separate vulnerabilities — a reminder that the patching cycle never really stops. Acting on mitigations today, even before a permanent fix arrives, is the right call.

Recommended
Proton VPN
Proton VPN
Protect your browsing
Proton Mail
Proton Mail
Encrypted email
Related local service
Worried this could be malware?
If your computer has pop-ups, redirects, suspicious downloads, or ransomware warnings, start with our local virus removal page.
Call Us View virus removal
Tags
cybersecurity vulnerability patch-management small-business-it web-security
← Back to all posts