Microsoft Exchange Server Spoofing Vulnerability Exploited in Attack (CVE-2026-42897)

Microsoft has addressed a new security vulnerability impacting on-premises versions of Exchange Server that is being exploited in the wild. Tracked as CVE-2026-42897, the vulnerability may allow an attacker to perform network spoofing.

CISA also acknowledged the active exploitation of the vulnerability and added it to its Known Exploited Vulnerabilities Catalog. CISA urged users to patch the vulnerability before May 29, 2026.

Microsoft Exchange Server is a comprehensive email, calendaring, contact, and collaboration platform developed by Microsoft. It acts as a central hub for organizational communication, primarily designed for business and enterprise use, running on Windows Server.

Vulnerability Details

The vulnerability originates from a cross-site scripting flaw in the Exchange Outlook Web Access (OWA). An unauthenticated attacker could exploit the vulnerability by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, an attacker can execute arbitrary JavaScript in the browser context.

Qualys Threat Intelligence assigned a Qualys Vulnerability Score (QVS) of 95 to CVE-2026-42897. Qualys Vulnerability Score (QVS) is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE, such as CVSS scores and external threat indicators like active exploitation, exploit code maturity, CISA known exploits, and more.

Affected Versions

The vulnerability affects the following on-premises Exchange Server versions:

Exchange Server 2016 (any update level)
Exchange Server 2019 (any update level)
Exchange Server Subscription Edition (SE) (any update level)

The vulnerability does not impact Exchange Online.

Mitigation

Microsoft has mentioned in its advisory that it is providing a temporary mitigation for this vulnerability through the Exchange Emergency Mitigation Service.

For more information, please refer to the Microsoft Security Advisory.

Microsoft suggests the following actions to apply when a user cannot migrate to the Exchange Emergency Mitigation Service:

Download the latest version of the Exchange on-premises Mitigation Tool (EOMT) from aka[.]ms/UnifiedEOMT.
Apply the mitigation on a per-server basis or on all servers at once by running the script via an elevated Exchange Management Shell (EMS):

- - Single server: .\EOMT.ps1 -CVE “CVE-2026-42897”
  - All servers: Get-ExchangeServer | Where-Object { $_.ServerRole -ne “Edge” } | .\EOMT.ps1 -CVE “CVE-2026-42897”

Qualys Detection

Qualys customers can scan their devices with QID 50146 to detect vulnerable assets.

EVALUATE Vendor-Suggested Mitigation with Policy Audit (PA)

With Qualys Policy Audit’s out-of-the-box mitigation or Compensatory Controls, which reduce the risk of a vulnerability being exploited because the remediation (fix/patch) cannot be done immediately, these security controls are not recommended by any industry standards, such as CIS and DISA-STIG.

The Qualys Policy Audit team releases these exclusive controls based on vendor-suggested mitigation and workarounds.

Mitigation refers to a setting, common configuration, or general best practice that, in its default state, can reduce the severity of vulnerability exploitation.

A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn’t working. Information technology often employs workarounds to overcome hardware, programming, or communication issues. Once a problem is fixed, a workaround is usually abandoned.

The following Qualys Policy Compliance Control IDs (CIDs) and System Defined Controls (SDC) have been published to support the evaluation of recommended mitigations: