Microsoft Reports Severe Zero-Day Flaw in On-Prem Exchange Servers

Microsoft disclosed a high-severity zero-day XSS vulnerability (CVE-2026-42897, CVSS 8.1) in on-premises Exchange Server (all supported 2016, 2019, and Subscription Edition versions) that could allow an attacker to deliver arbitrary code via specially crafted email. No patch is yet available; Microsoft recommends enabling the Exchange Emergency Mitigation (EM) Service (applied by default where available) or applying the Exchange On‑premises Mitigation Tool (EOMT) for disconnected environments while updates are developed.