Microsoft Warns Exchange Server Flaw Lets Attackers Execute Code via OWA Emails
Microsoft warns of Exchange flaw affecting Outlook Web Access and issues urgent mitigations pending a full fix.
Key Takeaways:
- A newly disclosed Exchange Server flaw could expose organizations to serious browser-based attacks.
- Microsoft has released temporary mitigations while administrators wait for a full security patch.
- Some Outlook Web Access features may be impacted after applying the recommended protections.
Microsoft has disclosed a critical vulnerability in on-premises Exchange Server that allows attackers to execute malicious code through specially crafted emails opened in Outlook Web Access. The company is urging administrators to apply emergency mitigations immediately while it works on a permanent security update for supported commercial customers.
This security vulnerability (tracked as CVE‑2026‑42897) affects on‑premises Microsoft Exchange Server, specifically within Outlook Web Access (OWA). It allows attackers to exploit specially crafted emails so that, when a user opens them under certain conditions, malicious JavaScript can run in the user’s browser session, potentially leading to unauthorized actions or data exposure.
According to Microsoft, this issue affects Exchange Server 2016, 2019, and Exchange Server Subscription Edition (SE). However, it doesn’t impact Exchange Online customers. Microsoft has released a mitigation through the Exchange Emergency Mitigation (EM) Service. Administrators can use tools such as the Exchange Health Checker to verify mitigation status. Microsoft has also provided a scripted mitigation using the Exchange On‑premises Mitigation Tool (EOMT) for environments where EM Service is unavailable.
What could be the impact on OWA features?
Microsoft noted that applying the mitigation could affect some features in Exchange Online. For instance, inline images may no longer display correctly in the OWA reading pane, so sending them as attachments is recommended. Printing calendars from OWA might also fail, which requires users to rely on screenshots or the Outlook desktop app instead. Moreover, the older OWA Light interface, which is already deprecated, may not function properly.
Microsoft is working on a security update to permanently fix the issue for Exchange Server customers. The company will release updates for supported Exchange versions, but some updates (Exchange 2016/2019) will only be available to commercial customers enrolled in the Extended Security Update (ESU) program.
Rabia has a master's degree in Software Engineering and she has years of experience writing professionally about Microsoft products and other technologies. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on t...
