Microsoft has disclosed a zero-day vulnerability that affects Exchange Server 2016, 2019, and Subscription Edition. This vulnerability would give bad actors an opportunity to run arbitrary code remotely on the Exchange server.
Although Microsoft has not issued any patches for this security vulnerability, they suggested two possible mitigations until a solution becomes available.
According to Microsoft, one preferred mitigation strategy is to activate the Exchange Emergency Mitigation (EM) Service, which provides protection for all customers whose EM Service remains enabled by default.
The announcement was made at a time when Microsoft was releasing its May 2026 Patch Tuesday updates, which fixed more than 120 vulnerabilities across applications such as Windows, Office, Azure, SharePoint, and more.
Multiple vulnerabilities addressed this month involve remote code execution and can be exploited via different vectors such as documents, DNS response, and network traffic.
The risk is higher when there’s no patch yet
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, at Suzu Labs, says: “Exchange remains one of the most dangerous places for a remote code execution flaw to land. It sits close to identity and inside the communication layer most organizations depend on every day.”
He says the risk is higher when there is no patch yet. Attackers study mitigation guidance the same way defenders do. AI only compresses that timeline. Public details can now be turned into working exploits much faster than most organizations can validate exposure.
“Microsoft’s Emergency Mitigation Service gives defenders a bridge, but that bridge still has to be verified. Exposure management now matters as much as patch management. Organizations need to know where Exchange is reachable and whether the mitigation actually landed.”
On-premises Exchange remains the most targeted pieces of real estate
Damon Small, Board of Directors, at Xcape Inc, adds: “The disclosure of CVE-2026-42897 is a reminder that on-premises Exchange remains the most targeted piece of real estate in the enterprise stack. This zero-day allows unauthenticated remote code execution, effectively granting attackers a direct path to the heart of corporate identity and communications. Because a formal patch is still pending, organizations are forced into a mitigation-only posture, relying on the Emergency Mitigation Service to essentially apply a virtual band-aid to a critical wound.
“For security leaders, this incident should be the final catalyst to accelerate the move to Exchange Online or, at the very least, to isolate these servers behind a zero-trust gateway. The priority must be immediate validation that the EM Service is actually functional and applying the necessary URI blocks, as a single misconfigured server can serve as the beachhead for a full domain compromise. In sum, most companies’ core competency is not maintaining IT infrastructure and should outsource those responsibilities.
He says companies should heed these takeaways:
- “Trust the Service, not the Server: If your Exchange Emergency Mitigation Service is disabled, you are currently defenseless; manual URI blocks are the only alternative until a formal binary patch is released.
- “Identical Patterns: This flaw echoes ProxyLogon and ProxyShell, demonstrating that the architectural complexity of on-premises Exchange continues to provide a fertile ground for unauthenticated RCE.
- “The Hybrid Trap: Organizations in hybrid mode must ensure their on-premises footprint does not become the weakest link that compromises their cloud-based identity and mailboxes.
“Microsoft’s “Emergency Mitigation Service” is a polite way of saying your server is on life support, and the attackers are the ones currently holding the remote control.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.