Cybersecurity

Microsoft Exchange Has a Zero-Day With No Patch. Here's What That Means.

A high-severity Exchange Server vulnerability is being actively exploited and Microsoft has no fix yet. If you're still running on-premises Exchange, here's what you need to know right now.

By Alex

On May 15, Microsoft disclosed a high-severity vulnerability in Exchange Server that is already being exploited in the wild. The tracking number is CVE-2026-42897. There is no patch.

If you’re still running on-premises Exchange, that last sentence is the one to sit with.

What the vulnerability does

An attacker sends a specially crafted email to someone in your organization. If that person opens the email in Outlook Web Access (the browser-based version of Outlook) and certain interaction conditions are met, the attacker can execute arbitrary JavaScript in their browser session.

That might sound minor compared to ransomware. It’s not. Browser-based code execution in an authenticated session means an attacker can steal credentials, silently create email forwarding rules to exfiltrate messages, or move laterally into other systems. It’s the kind of initial access that shows up in breach reports six months later as “how it started.”

The vulnerability affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE), all running current updates.

The mitigation (and its limits)

Since there’s no patch, Microsoft is relying on the Exchange Emergency Mitigation Service (EEMS) to provide interim protection. EEMS is a Windows service that runs on Exchange Mailbox servers and can apply temporary mitigations automatically when Microsoft publishes them.

Here’s the catch: EEMS only works if it’s enabled and if your server is running a version of Exchange from March 2023 or later. If your organization disabled EEMS at some point, or if you’re running an older build, you’re exposed with no automated protection.

Microsoft also released the Exchange On-premises Mitigation Tool (EOMT) for air-gapped environments. But applying the mitigation breaks some functionality: OWA print calendar stops working, inline images may not display correctly in the reading pane, and OWA Light stops functioning.

The bigger problem: end of support

Exchange Server 2016 and 2019 reached end of support in October 2025. Microsoft has said that patches for CVE-2026-42897 will only be available to organizations enrolled in the paid Extended Security Update (ESU) program. If you’re running end-of-support Exchange without ESU, you won’t get a fix at all.

This is happening now. Active exploitation, no fix in sight unless you’re paying for extended support that many small organizations skipped.

Meanwhile, at Pwn2Own Berlin

The same week Microsoft disclosed this zero-day, security researchers at the Pwn2Own Berlin 2026 hacking competition demonstrated a separate Exchange exploit. Orange Tsai of DEVCORE chained three bugs together to achieve remote code execution with SYSTEM-level privileges on Exchange Server, earning $200,000 in the process. (This is the same competition where researchers demonstrated the first AI-generated zero-day category this year.)

That’s two independent Exchange attack paths disclosed in a single week. One is being actively exploited by criminals. The other was demonstrated by researchers who gave Microsoft 90 days to patch it before publishing details.

CISA has now added 19 Exchange Server vulnerabilities to its Known Exploited Vulnerabilities catalog. Fourteen of those 19 have been used in ransomware attacks.

What you should do right now

If you’re running on-premises Exchange:

  1. Verify EEMS is enabled and running. Check that the service is active on every Mailbox server. If it was disabled, re-enable it immediately.
  2. Confirm your Exchange build version. If you’re running anything older than the March 2023 cumulative update, EEMS cannot check for new mitigations.
  3. Check your ESU enrollment. If you’re on Exchange 2016 or 2019 without Extended Security Updates, you have no path to a permanent fix for this vulnerability.
  4. Review your OWA exposure. If Outlook Web Access is published to the internet, your attack surface is larger. Consider whether external OWA access is necessary.
  5. Plan your migration. Every month on end-of-support Exchange is borrowed time. Exchange Online eliminates this entire class of risk because Microsoft patches it for you, continuously, without downtime windows or ESU fees. (Your cyber insurance carrier may also be asking about supported software on your next renewal.)

This keeps happening

ProxyLogon in 2021. ProxyShell in 2021. ProxyNotShell in 2022. Now CVE-2026-42897 in 2026. Pwn2Own researchers keep finding new chains because the attack surface is enormous and the codebase is decades old.

Every one of these vulnerabilities hit organizations running their own email servers. None of them hit Exchange Online.

If your firm is still on-premises Exchange because “it works fine” or because migration sounds expensive, this is the week to revisit that decision. You’re not just paying for maintenance and licensing anymore. You’re paying for the privilege of being exposed to unpatched vulnerabilities on a product Microsoft is clearly winding down.

At some point “it works fine” stops being true, and you don’t always get to pick when.