If your business still runs an on-premises Microsoft Exchange server — or your IT provider does on your behalf — there's an active zero-day you need to know about right now. On May 14, Microsoft disclosed CVE-2026-42897, a vulnerability in Outlook Web Access that attackers are already exploiting by sending booby-trapped emails. There's no permanent patch yet, only an emergency mitigation. CISA has given federal agencies until May 29 to address it, and small businesses should treat that same deadline as their own.
What happened
On May 14, 2026, Microsoft disclosed CVE-2026-42897, a vulnerability affecting Exchange Outlook Web Access (OWA) that an attacker could exploit by sending a specially crafted email to a user. The flaw carries a CVSS score of 8.1 and affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition, while Exchange Online is not impacted.
The attack chain is unusually quiet for an Exchange bug. Microsoft's Exchange Team described it this way: an attacker could exploit this issue by sending a specially crafted email to a user, and if the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context. In plain English: a user opens what looks like a normal email in their web browser, and the attacker gets code running in that session — enough to spoof the user, steal credentials, or pivot further into your environment.
Microsoft warned that attackers are exploiting this Exchange Server zero-day in the wild. CISA, on May 15, 2026, added CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch agencies to apply the necessary mitigations by May 29, 2026. That's the federal deadline — but private businesses running the same software face the same threat.
Why this matters for a small business in York County
Plenty of small and mid-sized businesses in our area still run on-premises Exchange — law firms, medical practices, manufacturers with legacy mail servers tucked into a closet. If that's you, this bug is sitting on the perimeter of your network right now, reachable by anyone who can email your users.
Successful exploitation could enable data theft, lateral movement, ransomware deployment, or complete infrastructure takeover. That's the same playbook we've seen in nearly every major Pennsylvania ransomware case over the past two years — initial access through an email or perimeter device, then weeks of quiet reconnaissance before encryption hits. Layered defenses for small businesses in York exist precisely to break that chain before it gets to the ransomware step.
And there's no patch yet. A permanent fix is still in the works; in the meantime, Microsoft provided temporary mitigations.
What your IT provider should be doing this week
There's a clear, short checklist here, and it's the kind of thing a competent managed service provider should already be working through without being asked:
1. **Inventory every on-prem Exchange server.** Including ones nobody talks about anymore. CVE-2026-42897 affects on-prem Exchange Server 2016, 2019, and Subscription Edition systems in 2026 if they remain vulnerable and the Microsoft mitigation has not been applied.
2. **Confirm the Emergency Mitigation Service is enabled and the M2 mitigation applied.** Microsoft's immediate mitigation guidance is to rely on the Exchange Emergency Mitigation Service, which applies protection automatically through a URL Rewrite configuration and is enabled by default on supported on-prem Exchange deployments. Default does not mean "definitely on" — it has to be verified on each server.
3. **For air-gapped or disconnected servers**, run the manual tool. If the Exchange Emergency Mitigation Service cannot be used, such as in air-gapped environments, Microsoft instructs administrators to deploy the latest Exchange On-premises Mitigation Tool (EOMT) and apply the CVE-specific mitigation either per server or across all Exchange servers through Exchange Management Shell.
4. **Watch for the known side effects.** After applying the mitigation, OWA Print Calendar functionality might not work — as a workaround, copy the data or screenshot the calendar, or use Outlook Desktop client. Inline images might not display correctly in recipients' OWA reading pane — as a workaround, send images as email attachments or use Outlook Desktop client. Users will notice these things. Your help desk should already have a one-line answer ready.
5. **Reduce OWA exposure.** If your users don't actually need webmail from the open internet, restrict it. That's basic network and firewall hygiene, and it dramatically shrinks the attack surface for bugs like this one. This kind of layered approach is the whole point of a proper managed IT program — patching alone is not enough when the patches don't exist yet.
6. **Plan for the real patch.** Patches are in development for Exchange SE RTM, Exchange 2016 CU23, and Exchange 2019 CU14/CU15 — though patches for Exchange 2016 and 2019 will only be available to customers enrolled in the Period 2 Exchange Server ESU program. If you're on an older Exchange build and not enrolled in ESU, you may be on the mitigation indefinitely — which is a business decision your provider needs to surface now, not in six months.
The bigger picture: on-prem Exchange is a shrinking, sharper target
Exchange has been one of the most-attacked enterprise products on the internet for years. The Emergency Mitigation Service was introduced in September 2021 to provide automated protection for on-premises Exchange servers, applying interim mitigations for high-risk and likely actively exploited vulnerabilities — it was added after many hacking groups exploited ProxyLogon and ProxyShell zero-days to breach internet-exposed Exchange servers.
For most small businesses, the long-term answer is to get off on-prem Exchange entirely and onto Microsoft 365, where Microsoft patches the back end for you. That's a real project, not a weekend job — but if your business is still running Exchange 2016 in a closet because "it works," this advisory is your reminder that "works" and "safe" are not the same thing. Continuous monitoring of servers and endpoints is the bridge between today's mitigation and tomorrow's migration.
What York Businesses Should Do
York County businesses on on-prem Exchange should verify the M2 mitigation status on every mail server before the May 29 federal deadline — and if you don't know who has admin rights on your Exchange box, that's the call to make this week. York Computer can audit your mail environment and confirm whether your servers are actually protected, not just assumed to be.
Sources
- Addressing Exchange Server May 2026 vulnerability CVE-2026-42897 — Microsoft Tech Community
- On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email — The Hacker News
- Microsoft warns of Exchange zero-day flaw exploited in attacks — BleepingComputer
- CVE-2026-42897: Microsoft confirms active exploitation of Exchange Server zero-day — Security Affairs
- Unpatched Microsoft Exchange Server vulnerability exploited (CVE-2026-42897) — Help Net Security
- Critical: Exchange Server Vulnerability CVE-2026-42897 — Messageware
- CVE-2026-42897: Exchange Server OWA Spoofing Flaw Exploited via Crafted Email — SOC Prime