Microsoft's Exchange Zero-Day Is Being Actively Exploited. No Click Required.
There's a zero-day in Microsoft Exchange Server being actively exploited right now. CISA added it to the Known Exploited Vulnerabilities catalog last week. Federal agencies have a deadline of May 29 to apply mitigations. And as of today, there is no permanent fix.
If your business is running Exchange Server on your own hardware, this one needs your attention.
What CVE-2026-42897 Actually Does
The vulnerability, CVE-2026-42897, is a cross-site scripting flaw in Outlook Web Access (OWA), the browser-based interface employees use to check email from any device.[1] An attacker sends a specially crafted email. The target opens it in OWA. JavaScript from the attacker's payload runs automatically in their browser, inside an already-authenticated session.
No phishing link to click. No attachment to execute. Just opening the email is enough.
Once that JavaScript is running, the attacker operates as the logged-in user. They can read email, access shared mailboxes, plant forwarding rules that silently copy every future message to an outside address, or set up the groundwork for a business email compromise attack. The CVSS score is 8.1 out of 10.[2] Microsoft confirmed active exploitation on May 14th, the same day they disclosed it.
Who's Affected (and Who Isn't)
This only affects on-premises Exchange Server: versions 2016, 2019, and the Subscription Edition. If your business uses Exchange Online through a Microsoft 365 subscription, you're not exposed to this particular bug.[3]
Here's the thing though: a lot of small and mid-size businesses are still running on-prem Exchange. Sometimes it's a compliance requirement. Sometimes the migration to the cloud just never got prioritized. And honestly, sometimes it's because the server is working fine and nobody wanted to change something that wasn't broken. If any of that describes your situation, keep reading.
What Microsoft Has Done (and Hasn't)
Microsoft pushed an automatic mitigation through the Exchange Emergency Mitigation Service (EM Service) on the day of disclosure.[4] The mitigation is a URL rewrite rule that blocks the specific request pattern the exploit relies on. It pushes down automatically if your server has EM Service enabled and can reach Microsoft's endpoints.
That's where it gets complicated. The automatic fix only applies if your server's EM Service is on and connected. Air-gapped environments, servers with EM Service disabled, or servers that haven't been maintained in a while get nothing automatically. For those cases, Microsoft recommends manually running the Exchange On-Premises Mitigation Tool (EOMT).
There is still no permanent code-level patch. Microsoft says one is in development, but hasn't given a timeline.
Why "No Click Required" Is a Different Kind of Problem
Most small business owners I work with have gotten decent at one thing: not clicking suspicious links. Years of security awareness training have made that reflex pretty solid. But this attack doesn't need a click. OWA renders the email in the browser, and that rendering is what fires the payload.
You can train employees not to click unknown links. Telling them not to open their email entirely is a different conversation.
The Business Email Compromise angle is the part that keeps me up at night. Once an attacker has code running in an authenticated OWA session, they can do things quietly. Forwarding rules that mirror your inbox to an outside address. Monitoring for wire transfer conversations or vendor invoices. Intercepting the confirmation email before a payment goes out. BEC losses for small businesses average in the tens of thousands of dollars per incident, and they often go undetected for weeks.[5]
Three Things to Check Right Now
If you're running on-prem Exchange, here's where to start.
Confirm the Exchange Emergency Mitigation Service is enabled and running on your server. This is the mechanism that applied the automatic workaround. If you're not sure whether it's active, that uncertainty is itself the answer, and you need someone to check.
If EM Service is disabled or you have any reason to think the automatic mitigation didn't apply, download and run the EOMT from Microsoft's Security Response Center. It's a free tool and takes about ten minutes to run.
Finally, audit the forwarding rules in your mailboxes. Open Exchange Admin Center, go to mail flow, and look for any rules set to forward or redirect messages to external addresses that nobody in your organization configured. Planted forwarding rules are one of the first signs that OWA access has been abused.
I've seen businesses go months without realizing their email was being silently copied somewhere else. A quick check now costs almost nothing.
Running on-prem Exchange and not sure whether your server is protected? Our team can check your EM Service status and run through a quick security audit. Send us a message or call (412) 307-8313 and we'll take a look.
- The Register, "Exploited Exchange Server flaw turns OWA inboxes into script launchpads," theregister.com
- National Vulnerability Database, "CVE-2026-42897 Detail," nvd.nist.gov
- Microsoft Security Response Center, "CVE-2026-42897," msrc.microsoft.com
- SOC Prime, "CVE-2026-42897: Exchange Server OWA Spoofing Flaw Exploited via Crafted Email," socprime.com
- Security Affairs, "CVE-2026-42897: Microsoft confirms active exploitation of Exchange Server zero-day," securityaffairs.com