INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Microsoft Reports Severe Zero-Day Flaw in On-Prem Exchange Servers

| 2026-05-15 12:35 CRITICAL HIGH
Executive Summary AI-generated
The Microsoft Exchange Server vulnerability, CVE-2026-42897, is a high-severity zero-day flaw that allows an unauthorized attacker to perform spoofing over a network. This exploit was disclosed by the tech giant on May 14 and affects some on-premises Exchange Server versions: all existing Exchange Server 2016 versions, all existing Exchange Server 2019 versions, and all existing Exchange Server Subscription Edition (SE) versions. The vulnerability is due to an improper neutralization of input during web page generation - also called cross-site scripting (XSS) - in Microsoft Exchange Server that allows an attacker to perform spoofing over a network. Administrators can manually apply the mitigation by downloading the latest version of the Exchange On-premises Mitigation Tool (EOMT), running the provided PowerShell script, or both. However, this approach may cause issues such as disabling or disrupting features like OWA Print Calendar and Inline images. Microsoft has acknowledged that both mitigation measures can be problematic. The vulnerability is rated 8.1 on the CVSS scale, indicating its severity.
Technical Mitigations AI-generated
• Enable Exchange Emergency Mitigation (EM) Service • Manually apply the Exchange On-premises Mitigation Tool (EOMT) • Run PowerShell script targeting either a single server or all servers at once using CVE-2026-42897 identifier
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2023-21529CVE-2023-21529 CVE-2026-42897CVE-2026-42897
Target & Sectors
NORTH_AMERICA NORTH_AMERICA BENELUX BENELUX healthhealth
Incident Timeline
‎September 2021
Threat actors exploited a zero-day vulnerability in Microsoft Exchange EEMS introduced in September 2021.
‎older than March 2023
Administrators can verify the incident by checking the applied mitigations for CVE-2026-42897 (M2.1.x) through Microsoft Exchange Health Checker documentation or enabling EM Service on servers running older versions of Exchange Server.
industry Health
organisation CVE-2026-42897
organisation Running the Exchange Health Checker
organisation EM Service
organisation Enabling the EM Service
tactic T1584.004 - Server
‎2026/05/11
Threat actors exploited a previously unknown vulnerability in Microsoft Exchange, specifically CVE-2026-42897, by targeting users through Outlook Web Access when certain interaction conditions were met.
vulnerability CVE-2026-42897
organisation Outlook Web Access
tactic T1059.007 - JavaScript
‎May 14
Threat actors used a previously unknown vulnerability in Microsoft Exchange to target all versions of the software.
tactic T1584.004 - Server
infrastructure 8.1
organisation the Exchange Team
‎2016, 2019
Threat actors exploited a previously unknown vulnerability in Microsoft Exchange Server 2016, 2019 and Service Editions instances to gain unauthorized access.
tactic T1584.004 - Server
organisation the Exchange Emergency Mitigation
organisation SEs
organisation the Exchange Emergency Mitigation Service
‎May 15, 2026
Threat actors used a previously unknown vulnerability in Microsoft Exchange Server to target on-premise versions.
tactic T1584.004 - Server
organisation Microsoft
organisation Microsoft / Vulnerability
‎2026/05/15
Microsoft confirmed active exploitation of an Exchange Server zero-day vulnerability, CVE-2026-42897.
organisation Microsoft Exchange
organisation Exchange
organisation Exchange Management Shell
organisation Cyber-Risks
organisation Exchange Outlook Web Access
organisation OWA
organisation Microsoft
organisation CVSS
organisation Crafted Email
organisation EMS
organisation EM Service
organisation Outlook Web Access
infrastructure 19 Microsoft Exchange Server
organisation the Period 2 Exchange
organisation SecurityAffairs
organisation the Exchange Emergency Mitigation Service
organisation EOMT
organisation On-Prem Exchange Servers
organisation Outlook
organisation Temporary Fixes Available
organisation the Exchange Emergency Mitigation
organisation the EM Service
organisation the Centre for Cybersecurity Belgium
organisation CCB
organisation BEC
organisation Finally, Exchange
organisation Exchange Team
organisation NIST
organisation National Vulnerability Database
infrastructure Linux
organisation OWA Print Calendar
organisation OWASP
organisation Fortbridge
organisation Maximum Severity
organisation the Microsoft Exchange
organisation the Exchange EM Service
organisation EM
infrastructure Windows
organisation Mailbox
organisation ProxyLogon
organisation ProxyShell
organisation the Outlook Desktop
organisation BleepingComputer
organisation Exchange Emergency Mitigation Service
‎May 29, 2026
Threat actors exploited a recently disclosed Microsoft Exchange zero-day vulnerability.
‎May 2026
Threat actors exploited a previously unknown Microsoft Exchange zero-day vulnerability that surfaced two days after the company's May 2026 Patch Tuesday updates.
general_metric 138 vulnerabilities
Tactical Metrics
Metrics
infrastructure
‎8.1
Software Version
Metrics
infrastructure
‎Linux
Affected Product
Metrics
infrastructure
19
Microsoft Exchange Server
Metrics
infrastructure
‎Windows
Affected Product