On-prem Exchange Servers Hit by XSS Exploit via Email

Microsoft disclosed that on-premises Exchange Server installations are being targeted by attacks that use a crafted email to trigger CVE-2026-42897, a cross-site scripting vulnerability in Outlook Web Access. The flaw can allow arbitrary JavaScript to run in a user’s browser on Exchange Server 2016, Exchange Server 2019 and Exchange Server Subscription Edition at any update level. Microsoft assigned the bug a CVSS score of 8.1 and flagged the issue with an “Exploitation Detected” assessment in an advisory published Thursday. An anonymous researcher is credited with reporting the issue.

Microsoft’s advisory describes the vulnerability this way: “Improper neutralization of input during web page generation (‘cross-site scripting’) in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.”

An attacker can send a specially crafted email that, when opened in Outlook Web Access and when certain interaction conditions are met, can execute JavaScript in the context of the recipient’s browser. Microsoft noted that Exchange Online is not affected.

The company did not publish technical details of how the vulnerability is being exploited, the identity of any threat actor, the scale of the activity or whether any intrusion attempts were successful.

As an immediate measure Microsoft is providing a temporary mitigation through the Exchange Emergency Mitigation Service, which applies a URL rewrite configuration and is enabled by default. Administrators are advised to confirm the Windows service that provides the mitigation is running. For air-gapped environments or servers that cannot use the automatic service, Microsoft published the Exchange on-premises Mitigation Tool (EOMT) and guidance to run the mitigation manually via an elevated Exchange Management Shell to apply the fix to a single server or across all servers.

The Exchange Team noted a cosmetic display issue where the mitigation description may read “Mitigation invalid for this exchange version” even when the mitigation status shows “Applied.” The team wrote the message is cosmetic and the mitigation still applies when the status is shown as “Applied,” and that engineers are investigating how to correct the display text.

Microsoft advised administrators to apply the available mitigations while a permanent update is prepared and to review Outlook Web Access logs and mailbox activity for any signs of suspicious behavior.