Flaw affects Outlook on the Web via cross-site scripting, prompts administrators to deploy mitigations, verify protections, especially across older on-premises environments.

On 14 May 2026, Microsoft disclosed an actively exploited zero day vulnerability (CVE02026-42897)  in on-premises Exchange Server that affects Outlook on the Web, that can let an attacker run malicious JavaScript in a victim’s browser under certain conditions.

The issue (CVSS 8.1) is being tracked as a high-severity cross-site scripting flaw, although Exchange Online is not affected. The firm is urging administrators to use its Exchange Emergency Mitigation Service, which can push temporary protections automatically to supported servers.

For organizations that cannot connect their servers to Microsoft’s service, a manual mitigation is available through Microsoft’s on-premises mitigation tool.

The warning lands at a tense moment for Exchange users, because Microsoft has repeatedly warned that older on-premises deployments are especially exposed to targeted attacks. Security experts and Microsoft have long viewed Exchange as a high-value target, and the platform has been hit before by major campaigns, including the 2021 ProxyLogon wave.

Administrators are advised to confirm that the mitigation is in place, rather than assuming it succeeded. The supplied Health Checker script is the fastest way to verify whether the temporary protection has been applied.

For organizations running older, disconnected, or heavily customized environments, the problem is especially difficult to mitigate, as some older Exchange builds cannot receive the newest mitigations automatically, which means administrators may have to act manually while waiting for a full patch. A permanent fix is still being prepared, but the timing and availability depend on the Exchange version and support status. That leaves many on-premises customers in a narrow window where temporary defenses are the only immediate protection.

In practical terms, administrators should treat the issue as urgent and check whether their servers are protected now. For organizations that still rely on on-premises Exchange, the latest disclosure is another reminder that the platform remains a frequent and attractive target for attackers.