A newly discovered zero-day vulnerability in Microsoft Exchange Server has experts sounding the alarm. On Thursday, Microsoft announced mitigations for a high-security Exchange Server vulnerability that’s being actively exploited by hackers. All an attacker needs to do is send a specially crafted email that, when opened through Outlook Web Access, can execute arbitrary code within the user’s browser.
Microsoft’s called this security flaw (tracked as CVE-2026-42897) a spoofing vulnerability affecting fully updated versions of Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE).
“An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context,” the Exchange Team said.
Latest Videos From
Although security patches are not yet available, Microsoft said the Exchange Emergency Mitigation Service (EEMS) can provide automatic mitigation for Exchange Server 2016, 2019, and SE on-premises servers.
“Using EM Service is the best way for your organization to mitigate this vulnerability right away. If you have EM Service currently disabled, we recommend you enable it right away. Please note that EM Service will not be able to check for new mitigations if your server is running Exchange Server version older than March 2023,” per the Exchange Team.
To check the status of the Exchange Emergency Mitigation Service, organizations should follow Microsoft’s instructions on running the Exchange Health Checker script.
May has been one hell of a month for Microsoft’s security team. In the last week alone, Microsoft’s fixed over 130 vulnerabilities as part of its Patch Tuesday cycle, many of which are driven by a new AI-powered bug-hunting system codenamed MDASH (Multi-model Agentic Scanning Harness).
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Contains information related to marketing campaigns of the user. These are shared with Google AdWords / Google Ads when the Google Ads and Google Analytics accounts are linked together.
90 days
__utma
ID used to identify users and sessions
2 years after last activity
__utmt
Used to monitor number of Google Analytics server requests
10 minutes
__utmb
Used to distinguish new sessions and visits. This cookie is set when the GA.js javascript library is loaded and there is no existing __utmb cookie. The cookie is updated every time data is sent to the Google Analytics server.
30 minutes after last activity
__utmc
Used only with old Urchin versions of Google Analytics and not with GA.js. Was used to distinguish between new sessions and visits at the end of a session.
End of session (browser)
__utmz
Contains information about the traffic source or campaign that directed user to the website. The cookie is set when the GA.js javascript is loaded and updated when data is sent to the Google Anaytics server
6 months after last activity
__utmv
Contains custom information set by the web developer via the _setCustomVar method in Google Analytics. This cookie is updated every time new data is sent to the Google Analytics server.
2 years after last activity
__utmx
Used to determine whether a user is included in an A / B or Multivariate test.
18 months
_ga
ID used to identify users
2 years
_gali
Used by Google Analytics to determine which links on a page are being clicked
30 seconds
_ga_
ID used to identify users
2 years
_gid
ID used to identify users for 24 hours after last activity
24 hours
_gat
Used to monitor number of Google Analytics server requests when using Google Tag Manager
