Exchange Server 2016 And 2019 Hit By Critical OWA Vulnerability

Microsoft has warned customers about a new critical security vulnerability affecting on-premises Exchange Server deployments. The flaw, tracked as CVE-2026-42897, impacts Microsoft Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE).

According to Microsoft, the vulnerability could allow attackers to execute arbitrary JavaScript code inside a victim’s browser session through Outlook Web Access (OWA). The attack requires a user to receive a specially crafted email, open it in OWA, and interact with the message in a specific way.

If successfully exploited, the flaw could lead to session hijacking, credential theft, and broader compromise of Exchange environments.

Microsoft clarified that Exchange Online customers are not affected. The issue only impacts on-premises Exchange Server installations.

Microsoft recommends enabling Exchange EM Service

As a mitigation, Microsoft recommends enabling Exchange EM Service. The company noted that the service was released in September 2021 and is enabled by default, meaning most organizations should already have protection in place unless administrators manually disabled it.

For organizations that turned the service off, Microsoft advises applying its scripted mitigation process instead.

The company also acknowledged several potential side effects tied to the mitigations. Some users may experience issues with OWA Print Calendar, inline image rendering, and OWA Light mode functionality. Microsoft recommends using the Outlook desktop client, sending images as attachments, or relying on screenshots for calendar sharing as temporary workarounds.

Microsoft says some mitigation warnings are cosmetic

Some administrators may encounter a warning stating “Mitigation invalid for this exchange version.” Microsoft says this is only a cosmetic issue and does not indicate mitigation failure if the status still shows as “Applied.”

The company is currently developing a permanent fix for the vulnerability. However, patch availability will depend on each organization’s Exchange support status.

Exchange Server SE customers will receive the update normally. For Exchange Server 2016 and 2019, only customers enrolled in Period 2 of the Exchange Server Extended Security Update (ESU) program will receive access to the security update.

Organizations still using Period 1 ESU will not receive fixes because support expired in April 2026.

Microsoft continues long-term Exchange support plans

Despite ongoing maintenance and security challenges tied to legacy on-premises infrastructure, Microsoft says it plans to continue supporting Exchange Server until 2035.

The latest vulnerability also highlights Microsoft’s ongoing push toward Exchange Online. Cloud-managed environments benefit from centralized patching, faster mitigations, and broader built-in protections compared to traditional on-premises deployments.

Microsoft is also preparing Priority Cleanup V2 for Exchange Online and plans to block legacy TLS connections starting in July 2026.

Via Neowin