For the fastest way to join Tom's Guide Club enter your email below. We'll send you a confirmation and sign you up to our newsletter to keep you updated on all the latest news.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!
You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Join the club
Get full access to premium articles, exclusive features and a growing list of member rewards.
An account already exists for this email address, please log in.
Do you use Microsoft Exchange? Hackers are actively exploiting a new zero-day flaw
A newly discovered zero-day vulnerability in Microsoft Exchange Server has experts sounding the alarm. On Thursday, Microsoft announced mitigations for a high-security Exchange Server vulnerability that's being actively exploited by hackers. All an attacker needs to do is send a specially crafted email that, when opened through Outlook Web Access, can execute arbitrary code within the user's browser.
Microsoft's called this security flaw (tracked as CVE-2026-42897) a spoofing vulnerability affecting fully updated versions of Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE).
"An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context," the Exchange Team said.
Latest Videos From
Although security patches are not yet available, Microsoft said the Exchange Emergency Mitigation Service (EEMS) can provide automatic mitigation for Exchange Server 2016, 2019, and SE on-premises servers.
"Using EM Service is the best way for your organization to mitigate this vulnerability right away. If you have EM Service currently disabled, we recommend you enable it right away. Please note that EM Service will not be able to check for new mitigations if your server is running Exchange Server version older than March 2023," per the Exchange Team.
To check the status of the Exchange Emergency Mitigation Service, organizations should follow Microsoft's instructions on running the Exchange Health Checker script.
May has been one hell of a month for Microsoft's security team. In the last week alone, Microsoft's fixed over 130 vulnerabilities as part of its Patch Tuesday cycle, many of which are driven by a new AI-powered bug-hunting system codenamed MDASH (Multi-model Agentic Scanning Harness).
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Alyse Stanley is a news editor at Tom’s Guide, overseeing weekend coverage and writing about the latest in tech, gaming, and entertainment. Before Tom’s Guide, Alyse worked as an editor for the Washington Post’s sunsetted video game section, Launcher. She previously led Gizmodo’s weekend news desk and has written game reviews and features for outlets like Polygon, Unwinnable, and Rock, Paper, Shotgun. She’s a big fan of horror movies, cartoons, and roller skating. She's also a puzzle fan and can often be found contributing to the NYT Connections coverage on Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
Club Benefits
