3175x175(CURRENT).thumb.jpg.b05acc060982b36f5891ba728e6d953c.jpg)
A newly disclosed Exchange Server vulnerability is forcing some admins into messy trade-offs, and not everyone will receive Microsoft's permanent fix.
Although Exchange Online is Microsoft's recommended configuration to keep your platform modern and updated, Exchange Server continues to be the backbone for many enterprise clients' infrastructure. Now, the Redmond tech firm has issued an advisory that may trouble Exchange Server customers.
Basically, there is a security vulnerability in Exchange Server 2016, 2019, and SE, which enables an attacker to execute arbitrary JavaScript code in the victim's browser context by sending them a specially crafted email that has to be opened in Outlook Web Access (OWA) and interacted with in a certain way. It's being tracked as CVE-2026-42897 here and has been assigned a max severity ranking of "critical".
For now, Microsoft is offering two mitigations. The first one is the recommended approach and requires customers to enable the Exchange EM Service, which automatically mitigates this attack vector. It is important to note that this service was released in September 2021 and is enabled by default, so only customers who explicity disabled it are impacted.
The second mitigation is for customers who have disabled the Exchange EM Service for any reason. They are advised to apply the scripted mitigation process described here.
However, neither of these two methods are robust fixes, as they will lead to other issues, detailed below:
- OWA Print Calendar functionality might not work. As a workaround copy the data or screenshot the calendar you want to print or use Outlook Desktop client.
- Inline images might not display correctly in the recipients OWA reading pane. As a workaround, send images as email attachments or use Outlook Desktop client.
- OWA light (OWA URL ending in /?layout=light) does not work properly. Please note that this feature has been deprecated several years ago and is not intended for regular production use.
- We are aware of the mitigation showing the "Mitigation invalid for this exchange version." in mitigation details. This issue is cosmetic and the mitigation DOES apply successfully if the status is shown as "Applied". We are investigating on how to address this.
The good news is that Microsoft is working on a proper and robust fix. Exchange SE will receive it as a public update while Exchange 2016 and 2019 updates will only be offered to customers who have paid for Period 2 of the Exchange Server Extended Security Updates (ESU) program. Period 1 customers will not get the update as their program expired in April 2026. Finally, Exchange Online users can rest easy as they are not impacted by this security vulnerability at all.
Hope you enjoyed this news post. Feedback welcome.
Posted Friday 15 May 2026 at 6:10 pm AEST (my time).
News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of April) 1,700
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.