Microsoft has warned of a high-severity zero-day vulnerability that could lead to an attacker sending arbitrary code to a victim by sending a specially crafted email to an Outlook user. The flaw, tracked as CVE-2026-42897, is due to an improper neutralization of input during web page generation – also called cross-site scripting (XSS) – in Microsoft Exchange Server that allows an unauthorized attacker to perform spoofing over a network. This high-severity vulnerability (CVSS rating of 8.1), disclosed by the tech giant on May 14, is affecting some on-premises Exchange Server versions: Microsoft has not yet released a patch for this vulnerability. However, in a security advisory published on May 14, the Exchange Team shared two approaches security teams can take to mitigate the impact of potential exploits of this vulnerability before patches are available. The first option, which Microsoft recommends, uses the Exchange Emergency Mitigation (EM) Service. If the EM Service is enabled, which it is by default, the mitigation has already been automatically applied. Note that servers running versions older than March 2023 cannot receive new mitigations through this service. The second mitigation option is intended for environments unable to use the EM Service, such as disconnected or air-gapped environments. Administrators can manually apply the mitigation by: