Urgent Fix Needed for Vulnerable Exchange Servers

Microsoft’s latest alert focuses on a critical flaw, known as CVE‑2026‑42897, that targets on‑premises Exchange Server installations. The bug allows attackers to send a specially crafted email that, when opened in Outlook Web Access, can run malicious JavaScript right inside the user’s browser. Because the vulnerability is not tied to any authentication step, anyone on the network can exploit it. Once the code runs, the attacker gains a direct route into an organization’s core identity and messaging systems. The problem does not affect Exchange Online, but it does impact all current versions of on‑premises Exchange: 2016, 2019 and the Subscription Edition. Microsoft has already released a patch through its Emergency Mitigation Service (EM Service), but many systems still have the service turned off. To protect themselves, companies should enable EM Service immediately and run Microsoft’s Exchange Health Checker script. The generated report will confirm whether the critical “M2. 1. x” mitigation has been applied, ensuring that the dangerous URI blocks are in place.While a full patch is still pending, organizations must rely on this temporary fix. A single misconfigured server can become the entry point for a broader domain compromise, so testing the mitigation’s effectiveness is essential. Experts suggest that this incident highlights the need for businesses to move away from legacy Exchange Servers. Switching to Microsoft’s cloud‑based Exchange Online or placing existing servers behind a zero‑trust gateway can reduce exposure to similar attacks. Cybersecurity analysts warn that attackers often study mitigation guidance just as defenders do, meaning they can turn a discovered flaw into an active exploit faster than many companies can confirm their defenses. Both Microsoft and CISA have confirmed that attacks are already underway, making it non‑optional to verify the EM Service status and applied mitigation. In short, on‑premises Exchange Server owners must act now: enable the Emergency Mitigation Service, validate its operation, and plan a transition to more secure messaging solutions.