Computer Servers
Microsoft warns of active zero-day attacks targeting Exchange Servers. [Not the actual photo] panumas nikhomkhai | Pexels

Microsoft has revealed a new threat affecting Microsoft Exchange Servers, a zero-day vulnerability that is reportedly being exploited by hackers. This was demonstrated at the Pwn2Own Berlin hacking event on 14 May, showing how an attacker could carry out the threat through a specially crafted email.

The security flaw was identified as CVE-2026-42897. It is a spoofing vulnerability that affects fully updated versions of Microsoft Exchange 2016, Exchange Server 2019 and Exchange Server Subscription Edition (SE).

'An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context,' the Exchange Team explained via Microsoft.com.

The Cybersecurity and Infrastructure Security Agency (CISA) concurred that the exploit is already out there and has added it to the Known Exploited Vulnerabilities Catalog on 15 May. But with no official patch to address the threat, CISA has urged companies to resort to necessary steps in mitigating the problem since this exploit poses a significant risk.

How The Exploit Is Carried Out

Simply put, all hackers have to do is send a specially crafted email to any user. Once opened by unsuspecting individuals, it executes a JavaScript that pops up in a browser. Just as this web page generation takes place, hackers are able to perform spoofing over the network.

Microsoft logo
Why moving from Exchange Server to Microsoft Exchange Online in the enterprise is essential AFP News

'This zero-day allows unauthenticated remote code execution, effectively granting attackers a direct path to the heart of corporate identity and communications,' Xcape, Inc director Damon Small pointed out in a report by Forbes.

For now, there are no security patches to address the threat. But as an alternative, Microsoft recommends the Exchange Emergency Mitigation Service (EEMS).

'Using EM Service is the best way for your organization to mitigate this vulnerability right away,' Microsoft advised. 'If you have EM Service currently disabled, we recommend you enable it right away.'

To check if EEMS is enabled or not, companies are encouraged to run the Exchange Health Checker script right away. An HTML report will return the results of the EEMS check, including verification of whether the servers applied mitigation for CVE-2026-42897. The mitigation ID is M2.1.x.

Assuming these steps from Microsoft are followed, organizations are reminded that this is only a temporary fix. Small brands it as a band-aid solution until a formal patch is released.

'A single misconfigured server can serve as the beachhead for a full domain compromise,' Small warned.

Transition to Microsoft Exchange Online Urged

Moving forward, Small singled out why moving from Exchange Server to Microsoft Exchange Online in the enterprise is essential. He explained that the shift helps protect servers behind a zero-trust gateway.

Jacob Krell, senior director of secure AI solutions and Cybersecurity at Suzu Labs, agreed with Small. He pointed out how Exchange Server is a critical place for a remote code execution flaw to exist, explaining how such vulnerabilities may be working exploits in vulnerable organizations.

For now, there is no telling when Microsoft will roll out a fix to address the zero-day exploit. May has been tedious for the Microsoft security team, addressing several vulnerabilities that were part of its Patch Tuesday cycle, most of which were allegedly discovered by a new AI-powered bug-hunting system called MDASH (Multi-model Agentic Scanning Harness).

Read more