Overview
- The vulnerability CVE-2026-42897, disclosed Thursday, affects on‑premises Exchange 2016, 2019 and Subscription Edition and can run code in the browser when a crafted email is opened in Outlook on the web.
- Microsoft labeled the risk Exploitation Detected, assigned a CVSS 8.1 score, and said Exchange Online is not affected.
- The Exchange Emergency Mitigation Service is auto‑applying a URL rewrite (mitigation ID M2.1.x), and Microsoft warns it can break OWA calendar printing and inline images and may show a cosmetic “invalid” message.
- Admins in disconnected networks should use the Exchange on‑premises Mitigation Tool to apply the fix per server with the provided PowerShell script.
- Permanent patches are in development, with a public update planned for Exchange Server Subscription Edition and fixes for Exchange 2016/2019 limited to customers in Period 2 of the Extended Security Updates program.