Microsoft has confirmed active exploitation of CVE-2026-42897, a cross-site scripting flaw in on-prem Exchange Server. As reported by Help Net Security, attackers send a specially crafted email that, when opened in Outlook Web Access under certain interaction conditions, runs arbitrary JavaScript in the user’s browser. There’s no patch yet — Microsoft has released temporary mitigations and is still working on a permanent fix.

The bug affects Exchange Server 2016, Exchange Server 2019, and the new Subscription Edition. Exchange Online is not affected. If your business still runs an on-prem Exchange mailbox server — and plenty of Australian SMBs do, particularly those with hybrid setups — you’re in scope. Successful exploitation can lead to session hijacking, credential theft and mailbox content disclosure, all of which would trigger your Privacy Act notification obligations if customer or staff data is exposed.

Two things to do this week, in order. First, confirm the Exchange Emergency Mitigation Service is running. It’s enabled by default and Microsoft is pushing the fix through it automatically — but if anyone has turned it off, the mitigation never arrives. Second, if EMS is disabled, run the Exchange On-Premises Mitigation Tool (EOMT) script manually today, then re-enable EMS. After that, make sure you’re on supported builds (Exchange SE RTM, 2016 CU23, or 2019 CU14/CU15) and enrolled in the Period 2 Extended Security Update program so you can install the eventual permanent patch.

If you’re not sure whether your Exchange instance is mitigated, whether EMS is healthy, or whether you should still be running on-prem at all, our cybersecurity team can audit it this week.