Critical Microsoft Exchange Server RCE Vulnerability Under Active Attack CVE-2023-21529
Key Takeaways A critical spoofing vulnerability, CVE-2026-42897, in Microsoft Exchange Server is under active exploitation. The flaw specifically impacts on-premises versions of Exchange Server 2016,...
Key Takeaways
- A critical spoofing vulnerability, CVE-2026-42897, in Microsoft Exchange Server is under active exploitation.
- The flaw specifically impacts on-premises versions of Exchange Server 2016, 2019, and Subscription Edition.
- The vulnerability has a CVSS 3.1 score of 8.1 and allows for arbitrary JavaScript execution via crafted emails in Outlook Web Access.
- Microsoft has released an emergency mitigation (M2.1.x) through the Exchange Emergency Mitigation Service, with a permanent patch in development.
- Cloud-based Microsoft Exchange Online is not affected.
Microsoft Exchange Server Under Attack: Critical Spoofing Flaw Exploited In The Wild
Microsoft has issued an urgent security alert concerning a newly identified vulnerability within its Exchange Server platform, which is actively being exploited by threat actors. This critical spoofing flaw, designated CVE-2026-42897, carries a severe CVSS 3.1 rating of 8.1 and poses a significant risk to organizations utilizing on-premises Exchange infrastructure.
Table Of Content
Cybersecurity analysts have confirmed that the vulnerability targets the Microsoft Exchange Outlook Web Access (OWA) service. Attackers are leveraging this network-based weakness to compromise systems before a comprehensive, permanent patch can be deployed. Due to the ongoing active exploitation, system administrators are strongly advised to implement temporary defensive measures without delay.
It is important to note that this security risk is isolated to on-premises deployments. Organizations that rely on cloud-based Microsoft Exchange Online are not affected by this particular threat vector.
Technical Details of the Exchange Server Flaw
The core of this cyberattack lies in improper input neutralization during the generation of web pages, a vulnerability commonly categorized as a cross-site scripting (XSS) weakness. An attacker can exploit this issue by sending a specially crafted email directly to a target user.
If the recipient opens this malicious message within Outlook Web Access and fulfills certain interaction conditions, the embedded payload allows for the seamless execution of arbitrary JavaScript within the user’s browser. Security researchers indicate that this execution path effectively enables network-level spoofing without requiring any prior administrative privileges.
The vulnerability affects several major iterations of the platform, specifically impacting Exchange Server 2016, Exchange Server 2019, and the Exchange Server Subscription Edition across all cumulative update levels. The combination of low attack complexity and a network-based execution model makes this a highly potent tool for threat actors aiming to hijack user sessions or manipulate local browser data.
Emergency Mitigations and Future Patches
While a permanent security update is currently undergoing development and rigorous testing, Microsoft has proactively deployed a temporary safeguard through its automated Exchange Emergency Mitigation Service. For organizations that have this service enabled by default, the specific mitigation identified as M2.1.x is automatically applied to protect vulnerable environments.
Administrators operating in disconnected or air-gapped networks, however, must manually download and execute the latest Exchange on-premises Mitigation Tool script via an elevated management shell to achieve the necessary protection.
Implementing this emergency mitigation introduces minor operational side effects that IT teams should be aware of. Microsoft documentation indicates that the Outlook Web Access Print Calendar functionality may cease to work properly, requiring users to rely on the desktop client or take manual screenshots. Furthermore, inline images might not display correctly within the reading pane, necessitating workarounds such as sending images as direct attachments.
Despite these cosmetic and functional disruptions, the security community strongly advises organizations to maintain the mitigation in an active state. Microsoft software engineers are actively finalizing a permanent official fix that meets their stringent quality assurance standards. Once released, the security update will be made publicly available for the Exchange Server Subscription Edition.
However, permanent updates for older versions, such as Exchange 2016 and 2019, will only be provided to customers who are actively enrolled in the Period 2 Exchange Server Extended Security Update program. Organizations still relying on older cumulative updates are strongly encouraged to upgrade their infrastructure immediately to ensure compatibility with the final patch when it is deployed.
What You Should Do
- Apply Emergency Mitigation: Ensure the Exchange Emergency Mitigation Service is enabled and functioning. For air-gapped networks, manually download and run the Exchange on-premises Mitigation Tool script.
- Monitor for Official Patches: Stay vigilant for the release of the permanent security update from Microsoft.
- Upgrade Older Versions: If using Exchange Server 2016 or 2019, consider enrolling in the Extended Security Update program or upgrading to a newer, supported version to receive future permanent patches.
- Educate Users: Remind users about the risks of opening suspicious emails, particularly in Outlook Web Access, even with mitigations in place.
- Review Logs: Actively monitor Exchange Server logs for any indicators of compromise or unusual activity.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.