The piece places this in a broader pattern of rapid zero‑day activity in 2026, citing prior Exchange and Windows 11 exploit coverage.

Mitigation should proceed via the Exchange Emergency Mitigation Service (EM Service), with patches delivered through EM Service; ensure EM Service is enabled and URI blocks are applied as needed.

CISA added CVE-2026-42897 to the Known Exploited Vulnerabilities catalog on May 15 and urges timely remediation given the high-risk attack vector.

A zero-day in Microsoft Exchange, CVE-2026-42897, was disclosed on May 14 and is actively being exploited in the wild, according to CISA.

Experts urge rapid remediation and careful configuration, warning that a misconfigured on-premises server can compromise an entire domain, with options including moving to Exchange Online or isolating on‑premises servers behind a zero-trust gateway.

Affected on‑premises Exchange versions include Exchange Server 2016 (all updates), Exchange Server 2019 (all updates), and Exchange Server Subscription Edition (all updates); Exchange Online remains unaffected.

Microsoft identifies EM Service as the best immediate mitigation and notes that on‑premises Exchange remains a high‑value target for enterprises.

The flaw is a spoofing vulnerability enabling unauthenticated remote code execution by processing a malicious email opened in Outlook Web Access, which can run arbitrary JavaScript in the browser context.