19th May 2026 Cyber Update: Exchange Zero-Day Puts On-Prem Mail Servers Back in the Spotlight

Microsoft Exchange is again in focus for enterprise patching after Microsoft confirmed exploitation of CVE-2026-42897, a vulnerability affecting Outlook Web Access in on‑premises Exchange Server deployments. The issue does not affect Exchange Online, an important distinction for boards and technology teams before the discussion becomes too broad.

The Update

CVE-2026-42897 affects Exchange Server 2016, Exchange Server 2019 and Exchange Server Subscription Edition. Microsoft says an attacker could send a specially crafted email and, if the user opens it in Outlook Web Access under certain conditions, arbitrary JavaScript can run in the browser context. The US Cybersecurity and Infrastructure Security Agency has added the flaw to its Known Exploited Vulnerabilities catalogue, giving US federal agencies until 29 May 2026 to apply mitigations.

The immediate control is not a full patch. Microsoft is using the Exchange Emergency Mitigation Service to apply protection automatically where that service is enabled. For disconnected environments, Microsoft has provided a scripted mitigation path. A permanent security update is still pending, and Microsoft has warned that some older or unsupported Exchange positions may face limits around future fixes.

Why It Matters

Exchange remains one of those systems that many organisations keep running because business workflows, legacy mailboxes and hybrid identity arrangements make removal harder than the strategy slide suggests. That is why cyber observers keep returning to the same point: exposed on-prem mail infrastructure can become a high-value doorway into the organisation, even when most users have already moved to cloud services.

The market read is practical rather than dramatic. Security teams should confirm whether they still operate any on-prem Exchange server, check whether the Exchange Emergency Mitigation Service is enabled, validate that mitigation status, and review whether Outlook Web Access is unnecessarily exposed. Multiple cyber media outlets note that Microsoft’s mitigation may create some usability issues, including calendar printing and inline image display problems, but those trade-offs are easier to manage than an exploited mail server.

The question that needs answering is about operational discipline: do organisations have a clean inventory of legacy internet-facing systems, and can they apply emergency controls quickly when a widely targeted platform enters the exploited-vulnerability list?

For boards and executive teams, the message is clear. Ask for confirmation, not reassurance. Which Exchange servers exist? Which are exposed? Which have the emergency mitigation applied? Which business owner accepts the risk if unsupported versions remain online?

Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.