On Thursday, Microsoft shared mitigations for a high-severity Alternate Server vulnerability exploited in assaults that permit risk actors to execute arbitrary code by the use of cross-site scripting (XSS) whilst concentrated on Outlook on the net customers.
Microsoft describes this safety flaw (CVE-2026-42897) as a spoofing vulnerability affecting up-to-date Alternate Server 2016, Alternate Server 2019, and Alternate Server Subscription Version (SE) device.
Whilst patches don’t seem to be but to be had to completely repair the vulnerability, the corporate added that the Alternate Emergency Mitigation Carrier (EEMS) will supply automated mitigation for Alternate Server 2016, 2019, and SE on-premises servers.
“An attacker may exploit this factor by means of sending a specifically crafted electronic mail to a consumer. If the consumer opens the e-mail in Outlook Internet Get admission to and likely interplay stipulations are met, arbitrary JavaScript will also be finished within the browser context,” the Alternate Group stated.
“The use of EM Carrier is one of the best ways on your group to mitigate this vulnerability immediately. When you have EM Carrier lately disabled, we suggest you permit it immediately. Please word that EM Carrier will be unable to test for brand new mitigations in case your server is working Alternate Server model older than March 2023.”
EEMS was once presented in September 2021 to supply automatic coverage for on-premises Alternate servers, securing them in opposition to ongoing assaults by means of making use of period in-between mitigations for high-risk (and most likely actively exploited) vulnerabilities.
EEMS runs as a Home windows carrier on Alternate Mailbox servers and is robotically enabled on servers with the Mailbox position. The safety characteristic was once added after many hacking teams exploited ProxyLogon and ProxyShell zero-days (which lacked patches or mitigation knowledge) to breach Web-exposed Alternate servers.
Admins with servers in air-gapped environments too can mitigate the flaw by means of downloading the most recent Alternate on-premises Mitigation Instrument (EOMT) model and making use of the mitigation by means of working the script by the use of an increased Alternate Control Shell (EMS) with some of the following instructions:
Microsoft plans to free up patches for Alternate SE RTM, Alternate 2016 CU23, and Alternate Server 2019 CU14 and CU15, however says that updates for Alternate 2016 and 2019 will most effective be to be had to shoppers enrolled within the Duration 2 Alternate Server ESU program.
In October, weeks after Alternate 2016 and 2019 reached the tip of strengthen, the Cybersecurity and Infrastructure Safety Company (CISA) and the Nationwide Safety Company (NSA) launched steering to assist IT admins harden Microsoft Alternate servers in opposition to assaults.
Computerized pentesting gear ship actual price, however they have been constructed to respond to one query: can an attacker transfer throughout the community? They weren’t constructed to check whether or not your controls block threats, your detection laws fireplace, or your cloud configs dangle.
This information covers the 6 surfaces you in truth want to validate.
Obtain Now
