Microsoft Exchange Server Zero-Day CVE-2026-42897 Is Being Actively Exploited — Here's What Small Businesses Need to Do Right Now

If your business runs its own on-premises Microsoft Exchange Server, stop what you're doing. Microsoft has confirmed that attackers are actively exploiting a brand-new zero-day vulnerability — meaning there is no permanent patch yet, and hackers already know how to use it.

Here's everything you need to know, plus a step-by-step checklist to protect yourself right now.

What Is CVE-2026-42897?

Security Affairs reported on May 15, 2026 that Microsoft issued a warning about a new Exchange Server zero-day tracked as CVE-2026-42897, carrying a CVSS score of 8.1 — which puts it firmly in the "high severity" category.

The vulnerability is a cross-site scripting (XSS) flaw — specifically, an improper neutralization of input during web page generation in Microsoft Exchange Server. According to The Hacker News, an attacker can weaponize it by sending a specially crafted email to a user. When that user opens the email in Outlook Web Access (OWA) — the browser-based version of Exchange — under certain conditions, arbitrary JavaScript code executes directly in the user's browser.

In plain English: someone sends your employee a booby-trapped email. Your employee opens it in the web browser version of Outlook. Malicious code runs silently in the background.

Microsoft has tagged the vulnerability with an "Exploitation Detected" assessment, meaning attacks are already happening in the wild. It has not yet disclosed details about who the attackers are, who has been targeted, or the scale of the attacks.

Who Is Affected?

This is critical to understand: Exchange Online (Microsoft 365) is NOT affected. This vulnerability only impacts on-premises Exchange Server installations. According to Help Net Security, the following versions are vulnerable:

• Exchange Server 2016 (any update level)
• Exchange Server 2019 (any update level)
• Exchange Server Subscription Edition (SE) (any update level)

If your business hosts its own Exchange server — common in industries like legal, healthcare, and finance that prefer keeping email on local infrastructure — you are potentially in the crosshairs.

Why This Is Especially Dangerous

Exchange Server zero-days aren't just another software bug. As Security Affairs explains, Exchange sits at the center of corporate email — one of the most sensitive systems in any organization. Compromising it can give attackers access to emails and attachments, stolen credentials, the ability to reset passwords, a path into other internal systems, and the ability to maintain long-term access using mail rules or tokens.

On top of that, many on-premises Exchange servers are internet-facing by design, which means attackers can reach them from anywhere in the world. And because OWA runs in a browser, the attack vector is as simple as getting someone to open an email — something users do hundreds of times a day.

Exchange zero-days like this are frequently targeted in cyber espionage and ransomware campaigns because of the high-value access they provide.

This vulnerability also surfaced just two days after Microsoft's May 2026 Patch Tuesday, which addressed 138 other vulnerabilities — meaning it didn't get the benefit of that regular update cycle.

Step-by-Step: What to Do Right Now

There is no permanent fix yet, but Microsoft has provided temporary mitigations that you should apply immediately.

Step 1 — Confirm Whether You're Running On-Premises Exchange

Log into your server or ask your IT administrator: are you running Exchange Server 2016, 2019, or SE on your own hardware or a hosted server you manage? If yes, proceed. If you're on Microsoft 365 / Exchange Online only, you are not affected.

Step 2 — Check If the Exchange Emergency Mitigation Service Is Running

According to The Hacker News, Microsoft is providing an automatic temporary mitigation through its Exchange Emergency Mitigation Service (EEMS). This service is enabled by default and will automatically apply a URL rewrite configuration to block the attack vector.

To verify it's running:

1. Open Services on your Exchange Server (search "Services" in the Start menu)
2. Look for Microsoft Exchange Emergency Mitigation
3. Confirm it shows as Running

If it's not running, start it immediately.

Step 3 — Confirm the Mitigation Is Applied

After confirming the service is running, check that the mitigation status shows "Applied" in your Exchange Admin Center or mitigation logs. Help Net Security notes that Microsoft is aware of a cosmetic display issue where the mitigation may show "Mitigation invalid for this exchange version" in the Description field — but if the status reads "Applied," the mitigation is working correctly regardless.

Step 4 — If You Can't Use the Automatic Service (Air-Gapped or Restricted Networks)

Some businesses — particularly those in regulated industries with isolated networks — may have the Emergency Mitigation Service disabled. In that case, The Hacker News outlines a manual approach using the Exchange on-premises Mitigation Tool (EOMT):

1. Download the latest EOMT from Microsoft's official repository at aka.ms/UnifiedEOMT
2. Open an elevated Exchange Management Shell (EMS)
3. Run one of the following scripts:
   • Single server: .\EOMT.ps1 -CVE "CVE-2026-42897"
   • All servers at once: Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"

Step 5 — Ensure Your Exchange CU Level Is Current

Help Net Security notes that when the permanent security update is released, it will target Exchange SE RTM, Exchange 2016 CU23, and Exchange Server 2019 CU14 and CU15. If you're running an older Cumulative Update (CU) version, Microsoft explicitly advises updating to a supported CU now so you can receive the fix when it becomes available. Also note that Exchange 2016 and 2019 updates will only be released to customers enrolled in the Period 2 Exchange Server ESU program.

Step 6 — Brief Your Staff

Until the permanent patch is released, remind employees that opening unexpected or unusual emails through Outlook Web Access carries elevated risk. Encourage them to report anything suspicious rather than clicking through it.

Step 7 — Watch for the Permanent Patch

Microsoft says a security update is in development. Keep a close eye on Microsoft's Security Update Guide and apply it the moment it becomes available.

When to Call a Professional

If you're a Yuba City small business running on-premises Exchange and you're not sure whether your server is exposed, whether the mitigation applied correctly, or whether your current CU level is supported — that's worth a conversation with someone who can log in and check. Misconfigured Exchange servers can quietly remain vulnerable even after mitigation attempts. If you'd like help verifying your setup, our team at Computer Works is familiar with exactly these kinds of urgent situations and can take a look.

The Bottom Line

CVE-2026-42897 is a real, actively-exploited threat affecting on-premises Exchange Server 2016, 2019, and SE. The attack is deceptively simple — a crafted email opened in Outlook Web Access — and the consequences of a successful exploit can be severe: stolen emails, compromised credentials, and a foothold into your entire network.

No permanent patch exists yet, but Microsoft's automatic mitigation through the Exchange Emergency Mitigation Service is available right now and should be your first move. Don't wait for the permanent fix to verify your protection status — apply the mitigation today and stay close to Microsoft's update announcements for when the full patch arrives.