Microsoft has flagged CVE-2026-42897, a critical Microsoft Exchange Server spoofing vulnerability, as Exploitation Detected. The flaw is a cross-site scripting issue in Exchange Server that can be triggered when an attacker sends a specially crafted email and the user opens it in Outlook Web Access under certain interaction conditions. In that browser context, arbitrary JavaScript can run [1].
The affected products are on-prem Exchange Server versions: Exchange Server Subscription Edition RTM, Exchange Server 2019 CU15, Exchange Server 2019 CU14, and Exchange Server 2016 CU23. Microsoft lists the severity as Critical with a CVSS 8.1 score, but the operational signal matters more than the number: the advisory says exploitation has already been detected, while the update table does not yet provide a normal security update package [1].
Why This Exchange Bug Needs a Mitigation Check
The immediate control is Exchange Emergency Mitigation Service, not a standard patch install. Microsoft says EM Service will provide the temporary mitigation automatically and is on by default; if it is not enabled, administrators need to enable it. Microsoft also says it is still developing and testing a more permanent fix, which explains why there are no update links in the Security Update Table yet [1].
For defenders, the useful check is not just “is Exchange up to date?” but “is EM Service actually installed, running, connected, and allowed to apply mitigations?” Microsoft Learn describes EM Service as a Windows service on Exchange Mailbox servers that downloads mitigations from the Office Config Service and can apply controls such as IIS URL Rewrite rules, service disablement, or app-pool disablement for actively exploited threats [2]. Edge Transport servers do not get the service, so they cannot be the place where this mitigation is verified.
Because exploitation depends on a crafted email being opened in OWA, review OWA exposure, suspicious mail that targets high-value users, unusual browser-side behavior reported by users, and any recent Exchange mitigations applied by EM Service. This is different from the Microsoft Word Preview Pane RCE risk, where preview handling was central, but it overlaps with the same email-driven attacker path Gridinsoft covered in Operation HookedWing phishing and Microsoft AiTM phishing.
If EM Service was disabled for operational reasons, treat that as an exposure decision that now needs owner sign-off. The practical order is: verify affected Exchange versions, confirm EM Service status, confirm the latest mitigation state, reduce unnecessary OWA exposure, and watch for Microsoft’s permanent fix. Older Exchange emergency-response history, including the ProxyLogon one-click mitigation tool, shows why temporary mitigations should be tracked as change-controlled security controls, not forgotten after the first alert.
