When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Exchange Server has a "critical" security bug, but Microsoft does not have a proper fix yet

A newly disclosed Exchange Server vulnerability is forcing some admins into messy trade-offs, and not everyone will receive Microsoft's permanent fix.

Neowin · with 0 comments

Microsoft and Exchange logos monochrome on dark background

Although Exchange Online is Microsoft's recommended configuration to keep your platform modern and updated, Exchange Server continues to be the backbone for many enterprise clients' infrastructure. Now, the Redmond tech firm has issued an advisory that may trouble Exchange Server customers.

Basically, there is a security vulnerability in Exchange Server 2016, 2019, and SE, which enables an attacker to execute arbitrary JavaScript code in the victim's browser context by sending them a specially crafted email that has to be opened in Outlook Web Access (OWA) and interacted with in a certain way. It's being tracked as CVE-2026-42897 here and has been assigned a max severity ranking of "critical".

For now, Microsoft is offering two mitigations. The first one is the recommended approach and requires customers to enable the Exchange EM Service, which automatically mitigates this attack vector. It is important to note that this service was released in September 2021 and is enabled by default, so only customers who explicity disabled it are impacted.

The second mitigation is for customers who have disabled the Exchange EM Service for any reason. They are advised to apply the scripted mitigation process described here.

However, neither of these two methods are robust fixes, as they will lead to other issues, detailed below:

  • OWA Print Calendar functionality might not work. As a workaround copy the data or screenshot the calendar you want to print or use Outlook Desktop client.
  • Inline images might not display correctly in the recipients OWA reading pane. As a workaround, send images as email attachments or use Outlook Desktop client.
  • OWA light (OWA URL ending in /?layout=light) does not work properly. Please note that this feature has been deprecated several years ago and is not intended for regular production use.
  • We are aware of the mitigation showing the "Mitigation invalid for this exchange version." in mitigation details. This issue is cosmetic and the mitigation DOES apply successfully if the status is shown as "Applied". We are investigating on how to address this.

The good news is that Microsoft is working on a proper and robust fix. Exchange SE will receive it as a public update while Exchange 2016 and 2019 updates will only be offered to customers who have paid for Period 2 of the Exchange Server Extended Security Updates (ESU) program. Period 1 customers will not get the update as their program expired in April 2026. Finally, Exchange Online users can rest easy as they are not impacted by this security vulnerability at all.

The Surface Duo 2 with the Spotify app
Next Article

Microsoft patent reveals interesting details about canceled Surface Duo 3

Windows 11 logo
Previous Article

Microsoft promises to fix driver quality in Windows, here's how

0 Comments

Load the comments and join the conversation!

Read the comments, ask the editors questions, show respect and join the conversation.

Click here