Attackers Are Actively Exploiting New Microsoft Exchange Zero-Day

CISA has added CVE-2026-42897 to its KEV catalog and given government agencies until May 29 to check that mitigations are in place.

Published on May 18, 2026

Written by Joel Witts

Share

Attackers Are Actively Exploiting New Microsoft Exchange Zero-Day

Microsoft last week disclosed a high severity zero-day vulnerability (CVE-2026-42897) affecting on-premises Microsoft Exchange Servers. CISA has confirmed the bug is already being exploited by threat actors. The CVE was added to CISA’s Known Exploited Vulnerabilities catalog on May 15.

The bug is a cross-site scripting vulnerability affecting Outlook Web Access (OWA), which attackers could exploit by sending a “specially crafted” email to the user, Microsoft wrote in an advisory. It has been given a CVSS of 8.1, making it a high severity vulnerability.

If the user opens this email in OWA and certain further conditions are met, the attacker could execute arbitrary JavaScript in the browser. Microsoft did not detail what additional conditions are required.

OWA is a browser-based email client used by millions of people to check their Exchange email online.

The vulnerability impacts organizations running on-premises Exchange Server — versions 2016, 2019, and Subscription Edition, at any update level. Organizations using Exchange Online are not affected.

Microsoft Releases Temporary EM Service Mitigation Ahead of Full Patch

Microsoft said it was working on a security update for impacted versions of Exchange. In the meantime, Microsoft has released a temporary mitigation via the Exchange Emergency Mitigation Service (EM Service).

This is enabled by default on most Exchange servers, but organizations should verify it’s working by running Microsoft’s Exchange Health Checker script and looking for mitigation ID M2.1.x.

If you are unable to access Exchange Emergency Mitigation Service, you can download the latest version of the Exchange on-premises Mitigation Tool and apply the Mitigation to all servers.

Organizations running builds older than March 2023 should update immediately, as the auto-mitigation won’t work. If this applies to you, follow the advice Microsoft outlines here.

CISA has set a deadline of May 29 for remediation. This impacts all Federal Civilian Executive Branch (FCEB) agencies, and CISA strongly encourages all organizations to follow their guidelines as best practice.

Explore More

Russian Hackers Rebuilt Their Flagship Backdoor To Be Nearly Invisible On Corporate Networks

Microsoft warns an FSB-linked hacker group rebuilt its Kazuar backdoor into a three-part botnet designed for long-term espionage.

Alex Zawalnyski Last updated on May 18, 2026

Read Now

Written By

Joel Witts Content Director

Joel is the Director of Content and a co-founder at Expert Insights; a rapidly growing media company focussed on covering cybersecurity solutions.

He’s an experienced journalist and editor with 8 years’ experience covering the cybersecurity space. He’s reviewed hundreds of cybersecurity solutions, interviewed hundreds of industry experts and produced dozens of industry reports read by thousands of CISOs and security professionals in topics like IAM, MFA, zero trust, email security, DevSecOps and more.

He also hosts the Expert Insights Podcast and co-writes the weekly newsletter, Decrypted. Joel is driven to share his team’s expertise with cybersecurity leaders to help them create more secure business foundations.