Critical Vulnerability in Microsoft Exchange Server Exploited via Crafted Emails
Microsoft has recently disclosed a significant security vulnerability affecting on-premises versions of Exchange Server, identified as CVE-2026-42897. This flaw has been actively exploited in the wild, posing a substantial risk to organizations utilizing these servers.
Understanding CVE-2026-42897
CVE-2026-42897 is classified as a spoofing vulnerability resulting from improper neutralization of input during web page generation, commonly known as cross-site scripting (XSS). This flaw allows unauthorized attackers to perform spoofing attacks over a network. An anonymous researcher discovered and reported this issue, prompting Microsoft to assign it a CVSS score of 8.1, indicating a high severity level.
Mechanism of Exploitation
Attackers can exploit this vulnerability by sending specially crafted emails to users. When such an email is opened in Outlook Web Access (OWA) under specific interaction conditions, it can trigger the execution of arbitrary JavaScript code within the context of the user’s web browser. This execution can lead to various malicious activities, including data theft, session hijacking, and further propagation of malware.
Affected Versions
The vulnerability impacts the following on-premises versions of Microsoft Exchange Server:
– Exchange Server 2016 (all update levels)
– Exchange Server 2019 (all update levels)
– Exchange Server Subscription Edition (SE) (all update levels)
Notably, Exchange Online is not affected by this vulnerability.
Microsoft’s Response and Mitigation Measures
In response to the active exploitation of CVE-2026-42897, Microsoft has provided temporary mitigation measures through its Exchange Emergency Mitigation Service. This service automatically applies a URL rewrite configuration to mitigate the vulnerability and is enabled by default. Administrators are advised to ensure that this service is active.
For environments where the Exchange Emergency Mitigation Service cannot be utilized, such as air-gapped systems, Microsoft recommends the following steps:
1. Download the latest version of the Exchange On-Premises Mitigation Tool (EOMT) from the official Microsoft link.
2. Apply the mitigation on a per-server basis or across all servers by running the script via an elevated Exchange Management Shell (EMS):
– For a single server:
“`
.\EOMT.ps1 -CVE CVE-2026-42897
“`
– For all servers:
“`
Get-ExchangeServer | Where-Object { $_.ServerRole -ne Edge } | .\EOMT.ps1 -CVE CVE-2026-42897
“`
Administrators should be aware of a known issue where the mitigation may display the message Mitigation invalid for this exchange version in the Description field. Microsoft has clarified that this issue is cosmetic, and the mitigation is applied successfully if the status is shown as Applied.
Implications for Organizations
The exploitation of CVE-2026-42897 underscores the critical importance of maintaining up-to-date security measures and promptly applying patches and mitigations. Organizations relying on affected versions of Microsoft Exchange Server should take immediate action to implement the recommended mitigations to protect their systems and sensitive data.
Recommendations for Administrators
1. Verify Mitigation Implementation: Ensure that the Exchange Emergency Mitigation Service is enabled and functioning correctly.
2. Apply EOMT Script: For environments where the automatic mitigation service is not feasible, execute the EOMT script as per Microsoft’s guidelines.
3. Monitor for Updates: Stay informed about updates from Microsoft regarding a permanent fix for this vulnerability and apply it as soon as it becomes available.
4. Educate Users: Inform users about the risks associated with opening emails from unknown or untrusted sources, especially when using Outlook Web Access.
5. Review Security Policies: Regularly review and update security policies to ensure they align with best practices for mitigating similar vulnerabilities.
Conclusion
The active exploitation of CVE-2026-42897 highlights the evolving nature of cybersecurity threats and the necessity for organizations to remain vigilant. By promptly implementing Microsoft’s recommended mitigations and maintaining robust security practices, organizations can reduce the risk posed by this vulnerability and safeguard their critical communication infrastructure.
