Microsoft Exchange Zero-Day Exploited: Permanent Patch Restricted to ESU Customers

On May 14, 2026, Microsoft confirmed that a cross-site scripting (XSS) vulnerability, tracked as CVE-2026-42897, is being actively exploited against on-premise Exchange Servers. The flaw carries a CVSS score of 8.1 and allows attackers to execute malicious scripts in a victim's browser via a specially crafted email opened in Outlook Web Access (OWA). The situation is particularly critical as a permanent patch will only be available to customers enrolled in the Period 2 Extended Security Updates (ESU) program, effectively excluding those whose support expired with Period 1 in April 2026.

Attack Vector: Exploiting XSS in Outlook Web Access

The CVE-2026-42897 vulnerability resides within the Outlook Web Access component of on-premise Exchange Server installations. Classified under CWE-79 as a cross-site scripting flaw, Microsoft explains that an attacker can send a specifically crafted email to a target. If the user opens this email in OWA under certain interaction conditions, arbitrary JavaScript can be executed in the context of the victim's session, potentially granting the attacker access to authenticated data and functions.

The vulnerability holds a CVSS score of 8.1. The attack vector is network-based but requires user interaction, as indicated by the UI:R qualifier in the evaluation framework. Rather than a server-side remote code execution (RCE), this is a client-side attack that exploits the victim's browser. The primary documented goal is spoofing, enabling the abuse of user sessions once malicious code is executed within the page context.

Active exploitation has been confirmed by Microsoft. According to reports from the Microsoft Security Response Center, cited by The Hacker News, the failure to neutralize input during web page generation allows unauthorized attackers to conduct network spoofing. The CIRCL database officially lists the status as "Exploited: Yes," aligning public technical data with the vendor's disclosure.

CISA Escalates Threat Status to National Alert

On May 14, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) issued a formal alert regarding the vulnerability. Chris Butera, CISA's Acting Executive Assistant Director, stated that the agency is actively monitoring the threat and working to mitigate the impact on on-premise Exchange servers. CISA's intervention elevates the incident from a standard vendor advisory to a matter of national security, urging both public and private sectors to prioritize their response.

While the government intervention does not yet provide indicators of compromise (IoCs) or specific threat actor identities, the alignment between Microsoft’s disclosure, the "Exploited: Yes" status in the CIRCL database, and the CISA alert signals an immediate and concrete threat. Security teams are advised that the absence of IoCs should not delay the implementation of defensive measures.

Interim Protections: EM Service and EOMT Script

Microsoft has deployed an automated mitigation via the Exchange Emergency Mitigation Service (EM Service), which is enabled by default on supported versions of Exchange Server. Identified as mitigation M2.1.x, this mechanism operates server-side to neutralize the attack vector without requiring manual administrator intervention, provided the environment maintains connectivity to Microsoft for rule updates.

For air-gapped infrastructures or environments where EM Service is restricted by policy, Microsoft has released the Exchange On-premises Mitigation Tool (EOMT) script. Both solutions are temporary; they do not replace a permanent patch but serve to reduce the attack surface until a final update is released, the date for which has not yet been announced.

Applying these mitigations results in measurable functional degradation for Outlook Web Access users. Documented known issues include broken calendar printing, incorrect rendering of inline images, the inability to use OWA Light mode, and a cosmetic error message regarding mitigation validity that may appear even when the protection is correctly applied. These side effects are currently the necessary trade-off for immediate protection.

The ESU Divide: Legacy Systems Left Unprotected

While Microsoft confirmed a permanent patch is in development, it will be distributed exclusively to Exchange Server 2016 and 2019 customers enrolled in Period 2 Extended Security Updates. Organizations that only subscribed to Period 1 ESU are formally excluded, as that program concluded in April 2026. The Exchange Team has clearly defined this support boundary.

"Period 1 only ESU customers will not receive this update as that ESU program ended in April 2026." — Microsoft Exchange Team

This policy transforms technical debt into active risk. Organizations running Exchange 2016 or 2019 without Period 2 ESU face a difficult choice: continue using temporary mitigations that degrade user experience, accelerate a migration to Exchange Online, or purchase the necessary support extension to receive the update. None of these options are without cost or operational complexity.

Immediate Actions for System Administrators

System administrators must act immediately. The vulnerability is being exploited and a permanent patch is not universally available. The following actions are prioritized:

• Verify immediately that the Exchange Emergency Mitigation Service is active and that mitigation M2.1.x has been applied. Check status via the admin interface or operational logs to confirm the servers have received the rules.
• For air-gapped environments or those with EM Service disabled, manually run the EOMT script on all affected on-premise Exchange servers before attack volumes increase.
• Monitor Outlook Web Access for anomalies, such as suspicious sessions, logins from unexpected sources, or spoofing behavior consistent with malicious JavaScript execution.
• Administrators of Exchange 2016/2019 instances outside of Period 2 ESU should plan for an immediate upgrade, subscribe to the support extension, or evaluate a migration to Exchange Online to ensure long-term security.

The CVE-2026-42897 incident is more than a standard bug; it is a reminder that lifecycle choices and legacy support can become critical operational bottlenecks. For a significant portion of the on-premise install base, security is no longer just about updates, but about forced migration or the controlled management of known risks.

Frequently Asked Questions

Can this attack be executed without any user interaction?

No. The CVSS vector for CVE-2026-42897 specifies UI:R (User Interaction Required). Microsoft states that a user must open a specially crafted email in Outlook Web Access and certain interaction conditions must be met to trigger the script execution.

Can servers in air-gapped environments be protected?

Yes, but not through the automated service. Administrators must manually download and apply the Exchange On-premises Mitigation Tool (EOMT) script to each isolated server, as the EM Service requires connectivity to Microsoft’s infrastructure.

Do Exchange Online users need to take action?

No. Exchange Online is not affected by this vulnerability. Action is only required for on-premise instances of Exchange Server 2016 CU23, 2019 CU14/CU15, and the Subscription Edition.

Information has been verified against cited sources and is current as of the time of publication.

Sources

• https://thehackernews.com/2026/05/on-prem-microsoft-exchange-server-cve.html
• https://www.cisa.gov/news-events/news/cisa-issues-alert-vulnerability-affecting-microsoft-exchange
• https://vulnerability.circl.lu/vuln/msrc_cve-2026-42897
• https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498