Microsoft has disclosed a brand new safety vulnerability impacting on-premise variations of Trade Server that it mentioned has come underneath energetic exploitation within the wild.
The vulnerability, tracked as CVE-2026-42897 (CVSS rating: 8.1), has been described as a spoofing bug stemming from a cross-site scripting flaw. An nameless researcher has been credited with discovering and reporting the problem.
“Improper neutralization of enter throughout net web page era (‘cross-site scripting’) in Microsoft Trade Server permits an unauthorized attacker to carry out spoofing over a community,” the tech large mentioned in a Thursday advisory.
Microsoft, which tagged the vulnerability with an “Exploitation Detected” evaluation, mentioned an attacker may weaponize it by sending a crafted electronic mail to a consumer, which, when opened in Outlook Internet Entry and topic to different “sure interplay situations,” can enable arbitrary JavaScript code to be executed within the context of the online browser.
Redmond additionally famous that it is offering a short lived mitigation by its Trade Emergency Mitigation Service, whereas it is readying a everlasting repair for the safety defect.
The Trade Emergency Mitigation Service will present the mitigation robotically by way of a URL rewrite configuration, and is enabled by default. It is not on, customers are suggested to allow the Home windows service.
In accordance with Microsoft, Trade On-line will not be impacted by this vulnerability. The next on-premises Trade Server variations are affected –
- Trade Server 2016 (any replace degree)
- Trade Server 2019 (any replace degree)
- Trade Server Subscription Version (SE) (any replace degree)
If utilizing the Trade Emergency Mitigation Service will not be an possibility as a result of air-gap restrictions, the corporate has outlined the next collection of actions –
- Obtain the most recent model of the Trade on-premises Mitigation Software (EOMT) from aka[.]ms/UnifiedEOMT.
- Apply the mitigation on a per-server foundation or on all servers directly by operating the script by way of an elevated Trade Administration Shell (EMS):
- Single server: .EOMT.ps1 -CVE “CVE-2026-42897”
- All servers: Get-ExchangeServer | The place-Object { $_.ServerRole -ne “Edge” } | .EOMT.ps1 -CVE “CVE-2026-42897”
Microsoft mentioned it is also conscious of a identified concern the place mitigation reveals the “Mitigation invalid for this trade model” within the Description area. “This concern is beauty and the mitigation DOES apply efficiently if the standing is proven as ‘Utilized,'” the Trade Staff mentioned. “We’re investigating on tackle this.”
There are presently no particulars on how the vulnerability is being exploited, the identification of the menace actor behind the exercise, or the dimensions of such efforts. It is also unclear who the targets are and if any of these assaults have been profitable. Within the interim, it is beneficial to use the mitigations beneficial by Microsoft.
