{"id":8172,"date":"2026-05-15T19:57:17","date_gmt":"2026-05-15T19:57:17","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8172"},"modified":"2026-05-15T19:57:17","modified_gmt":"2026-05-15T19:57:17","slug":"exchange-server-zero-day-vulnerability-can-be-triggered-by-opening-a-malicious-email","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8172","title":{"rendered":"Exchange Server zero-day vulnerability can be triggered by opening a malicious email"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A newly discovered zero-day vulnerability in Microsoft Exchange Server has experts declaring an emergency and urging CSOs to think about the need to abandon on-premises email solutions.<\/p>\n<p>\u201cBecause it\u2019s already being exploited in the wild, this isn\u2019t a \u2018patch next week situation; it\u2019s a \u2018mitigate right now\u2019 emergency,\u201d warned <a href=\"https:\/\/www.linkedin.com\/in\/rob-enderle-03729\" target=\"_blank\" rel=\"noopener\">Rob Enderle<\/a> of the Enderle Group.<\/p>\n<p>\u201cThis is another reminder to find a trusted cloud provider for e-mail,\u201d added <a href=\"https:\/\/www.sans.org\/profiles\/dr-johannes-ullrich\" target=\"_blank\" rel=\"noopener\">Johannes Ullrich<\/a>, dean of research at the SANS Institute. \u201cOn-premises Exchange is becoming a legacy product, and while some organizations need it for internal and outbound email, its attack surface should be minimized by reducing its exposure to external email.\u201d<\/p>\n<p>Ullrich<a href=\"https:\/\/techcommunity.microsoft.com\/blog\/exchange\/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897\/4518498\" target=\"_blank\" rel=\"noopener\"> was commenting on an alert from Microsoft this week<\/a> about a cross-site scripting vulnerability affecting Exchange Outlook Web Access (OWA) that could be exploited merely by sending a specially crafted email to a user. \u00a0If the user opens the message in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.<\/p>\n<p>Avoiding cross-site scripting problems in webmail systems like Outlook Web Access is hard, Ullrich admitted. A webmail system must include HTML email received from users within the application\u2019s HTML without confusing the two. Techniques like sandboxed iFrames can help, but need to be applied carefully.<\/p>\n<p>At the same time, he said, cross-site scripting flaws in webmail can usually be used to read the content of an email, and in some cases even to send an email.<\/p>\n<p>\u201cLuckily,\u201d he added, \u201cmany organizations have moved away from on-premises Exchange and Outlook Web Access.\u201d<\/p>\n<p>\u201cI\u2019m guessing this is bad,\u201d said <a href=\"https:\/\/ca.linkedin.com\/in\/kellman\" target=\"_blank\" rel=\"noopener\">Kellman Meghu<\/a>,\u201d CTO of DeepCove Cybersecurity, \u201cbut so is running an onsite Exchange Server in general.\u201d<\/p>\n<p>Affected by the vulnerability (<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2026-42897\" target=\"_blank\" rel=\"noopener\">CVE-2026-42897<\/a>) are Exchange Server 2016, 2019, and Server Subscription Edition (SE), regardless of their update levels.<\/p>\n<p>The cloud service, Exchange Online, is unaffected.<\/p>\n<h2 class=\"wp-block-heading\">Mitigation<\/h2>\n<p>Microsoft is still working on a security patch. In the meantime, Exchange administrators should know that if the Exchange EM Service is enabled on their servers \u2013 and it should be; since its release in September 2021 it has been enabled by default \u2013 then Microsoft\u2019s automatic mitigation for this vulnerability has already been published for affected versions of Exchange.<\/p>\n<p>If EM Service for whatever reason has been disabled, it should be enabled immediately. Note, however, that EM Service won\u2019t be able to check for new mitigations if the server is running an Exchange Server version older than March 2023.<\/p>\n<p>Those who can\u2019t use the EM Server, because, for example, they are disconnected or have air-gapped environments, should download the latest version of the Exchange on-premises <a href=\"https:\/\/aka.ms\/UnifiedEOMT\" target=\"_blank\" rel=\"noopener\">Mitigation Tool (EOMT)<\/a> and apply the mitigation on a per server base, or on all servers at once by running the script via an elevated Exchange Management Shell.<\/p>\n<h2 class=\"wp-block-heading\">Known issues with mitigation tactics<\/h2>\n<p>However, admins should note there are known issues once the mitigation is applied either manually or automatically through the EM Service.<\/p>\n<p>OWA Print Calendar functionality might not work. As a workaround, copy the data or screenshot the calendar you want to print, or use Outlook Desktop client. <\/p>\n<p>Inline images might not display correctly in the recipient\u2019s OWA reading pane. As a workaround, send images as email attachments or use Outlook Desktop client. <\/p>\n<p>OWA light (OWA URL ending in\u00a0<em>\/?layout=light<\/em>) does not work properly. Note that this feature was <a href=\"https:\/\/support.microsoft.com\/en-us\/office\/learn-more-about-the-light-version-of-outlook-2aec8c2d-da48-4707-ba37-c800e1c284cd\" target=\"_blank\" rel=\"noopener\">deprecated several years ago<\/a>\u00a0and is not intended for regular production use.<\/p>\n<p>Admins may get a message saying \u201cMitigation invalid for this Exchange version.\u201d in mitigation details. This issue is cosmetic and the mitigation does apply successfully if the status is shown as \u201cApplied\u201d. Microsoft is investigating how to address this glitch.<\/p>\n<h2 class=\"wp-block-heading\">Updates coming \u2018in the future\u2019<\/h2>\n<p>A Microsoft spokesperson was asked when the security update would be released. We were referred\u00a0to the company\u2019s statement.\u00a0<\/p>\n<p>In its warning, Microsoft says security updates for impacted versions of Exchange Server will come \u201cin the future.\u201d They will be for Exchange SE RTM, Exchange 2016 CU23, and Exchange Server 2019 CU14 and CU15. Those running older CU versions are urged to update now.<\/p>\n<p>An Exchange SE update will be released as a publicly available security update. Exchange 2016 and 2019 updates will be released only to customers who are enrolled in the <a href=\"https:\/\/techcommunity.microsoft.com\/blog\/exchange\/announcing-period-2-exchange-20162019-extended-security-update-esu-program\/4511603\" target=\"_blank\" rel=\"noopener\">Period 2 Exchange Server ESU program<\/a>.\u00a0Period 1-only ESU customers will not receive this update, as that program ended last month.<\/p>\n<p>\u00a0Enderle\u00a0said the fact that Microsoft issued an interim fix that breaks features like calendar printing and inline images is \u201ca clear sign of how desperate they are to stop the bleeding.<\/p>\n<p>\u201cCSOs need to move past the \u2018wait and see\u2019 approach and treat this as a litmus test for their security automation,\u201d he said. \u201cIf your team has the Exchange Emergency Mitigation (EM) Service enabled, you should already be protected, but you need to verify that \u2018Mitigation M2\u2019 is actually active across your entire inventory. If you\u2019re running air-gapped or have the EM service disabled, you\u2019re sitting ducks until you manually run the EOMT script.\u201d<\/p>\n<p>This is another \u201cmassive nudge\u201d from Redmond to shift from on-premises email, Enderle added. \u201cIf you aren\u2019t already planning your exit from on-site Exchange, your risk profile is only going to keep climbing as these zero days become the new normal. This does showcase that Azure, and web services in general, are where the industry, and particularly Microsoft, is pushing IT to go, whether they want to or not.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A newly discovered zero-day vulnerability in Microsoft Exchange Server has experts declaring an emergency and urging CSOs to think about the need to abandon on-premises email solutions. \u201cBecause it\u2019s already being exploited in the wild, this isn\u2019t a \u2018patch next week situation; it\u2019s a \u2018mitigate right now\u2019 emergency,\u201d warned Rob Enderle of the Enderle Group. [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8173,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8172","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8172"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8172"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8172\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8173"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8172"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8172"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8172"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}