Microsoft has disclosed a brand new security vulnerability impacting on-premise variations of Change Server that it mentioned has come beneath lively exploitation within the wild.
The vulnerability, tracked as CVE-2026-42897 (CVSS rating: 8.1), has been described as a spoofing bug stemming from a cross-site scripting flaw. An nameless researcher has been credited with discovering and reporting the difficulty.
“Improper neutralization of enter throughout internet web page era (‘cross-site scripting’) in Microsoft Change Server permits an unauthorized attacker to carry out spoofing over a community,” the tech large mentioned in a Thursday advisory.
Microsoft, which tagged the vulnerability with an “Exploitation Detected” evaluation, mentioned an attacker may weaponize it by sending a crafted e mail to a consumer, which, when opened in Outlook Net Entry and topic to different “sure interplay circumstances,” can enable arbitrary JavaScript code to be executed within the context of the online browser.
Redmond additionally famous that it is offering a short lived mitigation via its Change Emergency Mitigation Service, whereas it is readying a everlasting repair for the security defect.
The Change Emergency Mitigation Service will present the mitigation mechanically through a URL rewrite configuration, and is enabled by default. It is not on, customers are suggested to allow the Home windows service.
In keeping with Microsoft, Change On-line just isn’t impacted by this vulnerability. The next on-premises Change Server variations are affected –
- Change Server 2016 (any replace stage)
- Change Server 2019 (any replace stage)
- Change Server Subscription Version (SE) (any replace stage)
If utilizing the Change Emergency Mitigation Service just isn’t an choice on account of air-gap restrictions, the corporate has outlined the next sequence of actions –
- Obtain the newest model of the Change on-premises Mitigation Software (EOMT) from aka[.]ms/UnifiedEOMT.
- Apply the mitigation on a per-server foundation or on all servers without delay by operating the script through an elevated Change Administration Shell (EMS):
- Single server: .EOMT.ps1 -CVE “CVE-2026-42897”
- All servers: Get-ExchangeServer | The place-Object { $_.ServerRole -ne “Edge” } | .EOMT.ps1 -CVE “CVE-2026-42897”
Microsoft mentioned it is also conscious of a identified problem the place mitigation reveals the “Mitigation invalid for this trade model” within the Description subject. “This problem is beauty and the mitigation DOES apply efficiently if the standing is proven as ‘Utilized,'” the Change Group mentioned. “We’re investigating on the best way to deal with this.”
There are presently no particulars on how the vulnerability is being exploited, the id of the risk actor behind the exercise, or the dimensions of such efforts. It is also unclear who the targets are and if any of these assaults have been profitable. Within the interim, it is really useful to use the mitigations really useful by Microsoft.
