Microsoft Confirms Active 0-Day – Apply Emergency Fix Now

Microsoft has confirmed the existence of a critical zero-day vulnerability in Exchange Server, and the U.S. Cybersecurity and Infrastructure Security Agency has already flagged it as being actively exploited by attackers in the wild. The company urges all organizations to apply an emergency mitigation immediately.

Updated May 18: This article now includes additional guidance on the emergency mitigation process Microsoft recommends, following confirmation from CISA that the CVE-2026-42897 Exchange Server zero-day is under active exploitation. In a separate but related development, another security researcher,described as an ‘angry hacker’,has publicly posted a proof-of-concept exploit for a Windows 11 privilege escalation flaw that works even on fully patched systems.

The past few days have been particularly turbulent for Microsoft Exchange security. On one hand, a zero-day was responsibly disclosed at the Pwn2Own Berlin hacking event and kept out of the wild. On the other, a separate Exchange zero-day,confirmed by Microsoft on May 14,is already being weaponized by attackers. CISA added CVE-2026-42897 to its Known Exploited Vulnerabilities Catalog on May 15, urging all organizations to prioritize immediate remediation. Here is everything you need to know.

The CVE-2026-42897 Microsoft Exchange Zero-Day Explained

Microsoft disclosed the vulnerability on May 14, describing it as a Microsoft Exchange Server spoofing flaw. In technical terms, the issue stems from improper neutralization of input during web page generation,a classic cross-site scripting (XSS) vulnerability. An attacker needs only to send a maliciously crafted email. When the recipient opens it in Outlook Web Access, arbitrary JavaScript executes in the browser’s context, enabling spoofing over the network.

“The disclosure of CVE-2026-42897 is a reminder that on-premises Exchange remains the most targeted piece of real estate in the enterprise stack,” said Damon Small, a director at Xcape, Inc. He added that “this zero-day allows unauthenticated remote code execution, effectively granting attackers a direct path to the heart of corporate identity and communications.”

Exchange Online is not affected. However, the following on-premises Exchange Server versions are vulnerable at any update level:

• Exchange Server 2016Microsoft Urges Immediate Check of Exchange Emergency Mitigation StatusMicrosoft recommends using the Exchange Emergency Mitigation Service (EM Service) to apply the patch, which has already been published through it. “Using EM Service is the best way for your organization to mitigate this vulnerability right away,” Microsoft stated. “If you have EM Service currently disabled, we recommend you enable it right away.”To verify the status of the EM Service, organizations should run the Exchange Health Checker script provided by Microsoft. “The HTML report will include a section on EEMS check results,” Microsoft confirmed. This report will also confirm whether your servers have applied the mitigation for CVE-2026-42897. The relevant mitigation ID to look for is M2.1.x.“Because a formal patch is still pending, organizations are forced into a mitigation-only posture, relying on the Emergency Mitigation Service to essentially apply a virtual band-aid to a critical wound,” Small warned. The priority must be immediate validation that the EM Service is functional and applying the necessary URI blocks, as “a single misconfigured server can serve as the beachhead for a full domain compromise.”Small also noted that this incident should serve as a catalyst to accelerate migration from Exchange Server to Microsoft Exchange Online, or at the very least, to isolate these servers behind a zero-trust gateway.“Exchange remains one of the most dangerous places for a remote code execution flaw to land,” said Jacob Krell, senior director of secure AI solutions and cybersecurity at Suzu Labs. “It sits close to identity and inside the communication layer most organizations depend on every day.” Krell also warned that “attackers study mitigation guidance the same way defenders do,” meaning such vulnerabilities can be turned into working exploits “much faster than most organizations can validate exposure.”The message is clear: with both CISA and Microsoft confirming active attacks, checking that the Exchange Emergency Mitigation Service is enabled and that the relevant mitigation ID for CVE-2026-42897 has been applied is not optional. It is a critical step to ensure your on-premises Microsoft Exchange Server is not at immediate risk of exploitation.