Secure Cyber Vulnerability Management

18/05/2026
Qualys-Threat-Protect

Microsoft Exchange Server Spoofing Vulnerability Exploited in Attack (CVE-2026-42897)

by Deepanshu Jha

Microsoft has addressed a new security vulnerability impacting on-premises versions of Exchange Server that is being exploited in the wild. Tracked as CVE-2026-42897, the vulnerability may allow an attacker to perform network spoofing.

Microsoft Exchange Server is a comprehensive email, calendaring, contact, and collaboration platform developed by Microsoft. It acts as a central hub for organizational communication, primarily designed for business and enterprise use, running on Windows Server.

Vulnerability Details

The vulnerability originates from a cross-site scripting flaw in the Exchange Outlook Web Access (OWA). An unauthenticated attacker could exploit the vulnerability by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, an attacker can execute arbitrary JavaScript in the browser context.

Affected Versions

The vulnerability affects the following on-premises Exchange Server versions:

  • Exchange Server 2016 (any update level)
  • Exchange Server 2019 (any update level)
  • Exchange Server Subscription Edition (SE) (any update level)

The vulnerability does not impact Exchange Online.

Mitigation

Microsoft has mentioned in its advisory that it is providing a temporary mitigation for this vulnerability through the Exchange Emergency Mitigation Service.

For more information, please refer to the Microsoft Security Advisory.

Microsoft suggests the following actions to apply when a user cannot migrate to the Exchange Emergency Mitigation Service:

  • Download the latest version of the Exchange on-premises Mitigation Tool (EOMT) from aka[.]ms/UnifiedEOMT.
  • Apply the mitigation on a per-server basis or on all servers at once by running the script via an elevated Exchange Management Shell (EMS):
      • Single server: .EOMT.ps1 -CVE “CVE-2026-42897”
      • All servers: Get-ExchangeServer | Where-Object { $_.ServerRole -ne “Edge” } | .EOMT.ps1 -CVE “CVE-2026-42897”

Qualys Detection

Qualys customers can scan their devices with QID 50146 to detect vulnerable assets.

Continue following Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897
https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498

Comments are closed.

You may also like