Microsoft has confirmed a critical vulnerability in Exchange Server that demands immediate attention from IT administrators worldwide. The flaw, assigned CVE-2026-42897, enables attackers to execute arbitrary code on affected systems through Outlook Web Access (OWA), potentially leading to full server compromise. Disclosed on May 14, 2026, the vulnerability impacts Exchange Server 2016, Exchange Server 2019, and the newer Exchange Server Subscription Edition, leaving a vast installed base at risk.

In response, the Exchange Emergency Mitigation Service (EMS) has deployed an interim fix – Mitigation M2 – designed to neutralize the attack vector while a permanent patch is under development. However, administrators cannot simply assume the mitigation is active. This article provides a deep dive into the vulnerability, how the mitigation works, and the essential verification steps every Exchange admin must perform immediately.

What is CVE-2026-42897 and why is it so dangerous?

CVE-2026-42897 is a remote code execution vulnerability residing in the Exchange Server’s web-based Outlook interface. According to Microsoft’s advisory, an unauthenticated attacker on the same network as the Exchange server could send crafted HTTP requests to a specific OWA endpoint, triggering improper deserialization of user-supplied data. Successful exploitation grants the attacker SYSTEM-level privileges on the underlying server, enabling data theft, lateral movement, ransomware deployment, or complete infrastructure takeover.

The bug was discovered internally by Microsoft’s security researchers during a proactive audit of Exchange Server code. As of disclosure, there was no evidence of in-the-wild exploitation, but the nature of the vulnerability—an easily reachable deserialization flaw in a public-facing component—makes it an appealing target for advanced threat actors. On the CVSS 3.1 scale, Microsoft rated it 9.8 Critical, citing low attack complexity, no required privileges, and no user interaction.

Affected OWA endpoints include:
- /owa/auth/
- /owa/service.svc/
- Certain RESTful APIs used by OWA for calendar and attachment handling

Administrators running hybrid configurations with on-premises Exchange are equally vulnerable if their OWA is exposed externally, even through a reverse proxy or load balancer. Disabling OWA entirely is an option, but many organizations rely on it for remote mail access, making the EMS mitigation the preferred quick fix.

The Emergency Mitigation Service and Mitigation M2

Exchange Server’s Emergency Mitigation Service (EMS) is a cloud-driven feature introduced in Cumulative Update 22 (CU22) for Exchange 2016 and CU12 for Exchange 2019. Enabled by default in all supported builds, EMS periodically contacts Microsoft’s online service to download XML-based mitigation rules. When a high-severity vulnerability is disclosed, Microsoft can push a mitigation rule within hours without waiting for an administrator to install a patch.

For CVE-2026-42897, Microsoft released Mitigation M2 on the same day as the advisory. The rule targets the vulnerable deserialization endpoint by:
1. Modifying the IIS URL rewrite configuration at the server level to block access to the specific OWA paths involved.
2. Adding a temporary IIS module that sanitizes incoming requests to other OWA paths, stripping out malicious serialized payloads.
3. Writing a registry flag under HKLM\Software\Microsoft\Exchange\EmergencyMitigation to indicate M2 is active.

EMS checks for new mitigations every hour by default. Once downloaded, the mitigation is applied immediately and persists across server reboots. Importantly, the mitigation does not disable all of OWA; only the affected components are gated. End users can still access their mailboxes, but some non-critical functionalities (like certain calendar sharing features) may be temporarily unavailable until a full update is released.

Affected Exchange Server versions

The vulnerability impacts all on-premises Exchange deployments that meet the following prerequisites:
- Exchange Server 2016 CU23 (April 2024) and later
- Exchange Server 2019 CU14 (April 2024) and later
- Exchange Server Subscription Edition (all builds released before May 2026)

Exchange Server 2013 and older are out of support and do not receive security mitigations; organizations still running those versions should consider them compromised until evidence proves otherwise.

Exchange Online is not affected. Microsoft has clarified that the service runs a distinct codebase, and no action is needed for purely cloud-hosted mailboxes.

Verification is mandatory: How to check Mitigation M2 status

Administrators must not trust that the mitigation has been applied silently. Several factors—firewall restrictions, proxy misconfigurations, or EMS being inadvertently disabled—can prevent the rule from reaching your servers. Follow these steps on every Exchange server to confirm protection.

Step 1: Confirm EMS is enabled and functional

Run the following PowerShell command in the Exchange Management Shell:

Get-ExchangeServer | Get-ExchangeEmergencyMitigation

If EMS is operational, you should see a list of installed mitigations including one named CVE-2026-42897-M2. If the output is empty, EMS may be disabled. Check the health set using:

Get-ServerHealth -Identity <servername> | ?{$_.HealthSetName -eq "EmergencyMitigation"}

A healthy status should return Online. If Offline or Unhealthy, investigate the EMS configuration.

Step 2: Examine the EMS log

EMS logs its activities under:
%ExchangeInstallPath%\Logging\EmergencyMitigation\
Open the most recent log file and search for CVE-2026-42897. Look for entries like:

[INFO] Mitigation rule CVE-2026-42897-M2 downloaded successfully.
[INFO] Applied mitigation CVE-2026-42897-M2.

A lack of such entries within the last day suggests the rule hasn’t been fetched. Common causes:
- The Exchange server cannot reach the Internet (or specifically https://officeclient.microsoft.com). Verify connectivity.
- EMS is configured to use a proxy that fails authentication. Check the proxy settings with netsh winhttp show proxy.
- The EMS scheduler service (MSExchangeEmergencyMitigation) is stopped. Start it and set it to Automatic.

Step 3: Inspect IIS settings and a quick test

Mitigation M2 adds a blocking rule in IIS. Open IIS Manager, navigate to Sites > Default Web Site or Exchange Back End, and look for URL Rewrite rules. There should be new entries like:
- EMS_Block_CVE202642897_owa_auth
- EMS_Sanitize_CVE202642897_request_body

You can also directly test the mitigation by attempting to access a known vulnerable path from an internal machine (not from the server itself due to loopback check exclusion). For example:

Invoke-WebRequest -Uri "https://yourserver/owa/auth/" -Method POST -Body "malicious_test_payload"

You should receive an HTTP 403 or 500 error, indicating the request was blocked, rather than an OWA login page.

Step 4: Registry verification

The definitive machine-level indicator is a registry value:

HKLM\Software\Microsoft\Exchange\EmergencyMitigation\M2_Applied

If it exists and is set to 1, Mitigation M2 is active. You can query it remotely with PowerShell:

$reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $server)
$key = $reg.OpenSubKey('Software\Microsoft\Exchange\EmergencyMitigation')
$key.GetValue('M2_Applied')

This is the most reliable check for automated reporting across your Exchange estate.

What to do if the mitigation is not applied

If any of the above checks indicate that Mitigation M2 is missing, take these immediate actions:

  • Manually trigger an EMS update: From the Exchange Management Shell, run Start-EmergencyMitigationUpdate. This forces an immediate check for new rules.
  • For air-gapped environments: Download the mitigation manually from the Microsoft Download Center (search for "Exchange EMS Mitigation M2"). The installer is a .msi file that applies the same IIS and registry changes. After installation, verify with the registry check.
  • Temporary workaround: As a last resort, you can disable OWA entirely until the mitigation is in place. Use Set-OwaVirtualDirectory -Identity "owa (Default Web Site)" -ExternalUrl $null and restart IIS. This will prevent all OWA access but eliminates the attack surface.

Remember that Mitigation M2 is a temporary measure. It does not fix the underlying code flaw. Microsoft has stated that a full patch will be included in the next Cumulative Update for Exchange Server 2019 (CU15) and the equivalent update for Exchange Server Subscription Edition. No date has been confirmed, but based on past security cycles, expect a release within 2–3 weeks.

Community feedback and known issues

In the hours following the disclosure, Exchange administrators took to forums and social media to share their experiences. A recurring theme was confusion over the mitigation name: some admins expected a KB article number or a more descriptive identifier. Microsoft has since updated its advisory to clarify that "M2" is the internal EMS rule designation and that it maps directly to the advisory’s recommendations.

Several admins reported that their EMS service was stuck in a "Starting" state after applying a recent Windows update. The workaround was to delete the EMS database files under %ExchangeInstallPath%\Bin\EmergencyMitigation\Data\ and restart the service—forcing a clean initialization.

Another point of frustration: the mitigation can break third-party applications that rely on the now-blocked OWA APIs. Microsoft acknowledges this and recommends testing in a non-production environment if custom integrations are critical. For most organizations, though, the loss of a few auxiliary features is a small price to pay for preventing a remote code execution breach.

Looking ahead: permanent fix and long-term strategy

The accelerated EMS response highlights the value of keeping Exchange servers on the latest Cumulative Update. Without a recent CU, EMS may not be available, leaving servers completely exposed. For Exchange 2016 customers, end-of-life is approaching—planned for October 2025, extended support ended in 2020—and yet many still cling to it. This vulnerability is a stark reminder that running unsupported software is a gamble no business should take.

Microsoft’s Exchange team has pledged to release an out-of-band security update if exploitation is detected before the next scheduled CU. They urge admins to enable the automatic deployment of EMS mitigations and to monitor the Service Health Dashboard for updates.

In the meantime, every administrator must verify that Mitigation M2 is active on all servers. A single unprotected Exchange server can act as a pivot point for a network-wide compromise. Use the verification steps above, document the results, and if you find gaps, close them now. The window between vulnerability disclosure and active exploit attempts is shrinking every year—sometimes measured in hours. With a flaw of this severity, waiting even a day could be catastrophic.