07/03/2026
In May 2026, Microsoft confirmed that hackers are actively breaking into on-premise Exchange servers using a flaw called CVE-2026-42897.
The attack is simple. A hacker sends a normal-looking email to someone on your team. They open it in the browser version of Outlook. Hidden code in the email runs. The hacker is now inside your network. Your employee doesn't have to click anything. Just reading the email is enough.
It hits Exchange 2016, 2019, and Subscription Edition. The cloud version (Exchange Online in Microsoft 365) is safe. CISA gave federal agencies until May 29, 2026 to patch this, which tells you how serious it is.
If you don't know whether your business runs Exchange on a server in your office or in Microsoft's cloud, ask your IT person today. If the answer is on-prem, install Microsoft's May 2026 update and turn on Exchange Emergency Mitigation Service (EMS) until the update is fully done. If you've been putting off the move to the cloud, this is your reason to do it now.
Your email server is the front door to your business. Right now thousands of them are unlocked.
CVE-2026-42897 is exploited in on-prem Exchange; crafted emails enable spoofing, forcing urgent mitigation.