Microsoft disclosed mitigations for CVE-2026-42897, a high-severity Exchange Server spoofing flaw that can be exploited through specially crafted emails to execute arbitrary JavaScript in Outlook on the web. The company recommends enabling Exchange Emergency Mitigation Service or using the Exchange On-Premises Mitigation Tool until permanent patches arrive for Exchange Server 2016, 2019, and Subscription Edition. #Microsoft #ExchangeServer #CVE-2026-42897 #EEMS #EOMT
Keypoints
- Microsoft identified CVE-2026-42897 as a spoofing flaw in Exchange Server.
- Attackers can trigger arbitrary JavaScript through crafted emails in Outlook on the web.
- Exchange Emergency Mitigation Service can automatically apply temporary protections.
- Admins in air-gapped environments can use the Exchange On-Premises Mitigation Tool.
- Patches are planned for Exchange SE RTM, Exchange 2016 CU23, and Exchange 2019 CU14 and CU15.