ACCORDING to Infosecurity Magazine, Microsoft has warned of a high-severity zero-day vulnerability that could allow an attacker to send arbitrary code to a victim by crafting an email to an Outlook user. The flaw, tracked as CVE-2026-42897 and rated CVSS 8.1, stems from improper neutralisation of input during web page generation (cross-site scripting) in on-premises Microsoft Exchange Server, enabling spoofing over a network. It affects all existing Exchange Server 2016, 2019 and Exchange Server Subscription Edition (SE) versions, and does not impact Exchange Online.
A patch has not yet been released, but Microsoft published a security advisory on 14 May outlining two mitigations to reduce exposure before patches are available: the recommended Exchange Emergency Mitigation (EM) Service, which is enabled by default and may already be applying mitigations, and a manual route using the Exchange On-premises Mitigation Tool with a PowerShell script for environments that cannot use EM.
Microsoft notes that both mitigations can cause issues, and the company is developing security updates, with the SE update expected to be publicly released and 2016/2019 updates going to ESU customers. The article was published on 15 May 2026.