Summary
- CERT-FR’s active alert concerns CVE-2026-42897, an Exchange Server vulnerability Microsoft says is being actively exploited.
- The issue affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition RTM.
- Mail infrastructure carries identity, communications, evidence, and recovery consequences when exploitation is confirmed.
CERT-FR is continuing to treat a Microsoft Exchange Server vulnerability as an active alert, keeping mail infrastructure and collaboration security inside the current European risk cycle.
The French national cyber authority’s alert concerns CVE-2026-42897, which affects Microsoft Exchange Server. CERT-FR says the vulnerability can allow an unauthenticated attacker to trigger indirect remote code injection and bypass security policy when a user opens a trapped email in Outlook Web Access. Microsoft has indicated that the vulnerability is being actively exploited.
Affected systems listed by CERT-FR include Microsoft Exchange Server 2016 Cumulative Update 23, Exchange Server 2019 Cumulative Update 14, Exchange Server 2019 Cumulative Update 15, and Exchange Server Subscription Edition RTM. The agency also notes that Exchange Emergency Mitigation Service is enabled by default and operates automatically, while disconnected environments have separate Microsoft guidance for applying a temporary workaround.
Exchange vulnerabilities carry operational weight because email infrastructure often sits at the intersection of identity, communications, sensitive records, and incident response. Compromise of a mail system can expose internal communications, support phishing or business email compromise, and interfere with the evidence needed to understand an intrusion.
The exposure differs sharply between organisations. Some have moved fully to cloud-hosted mail and collaboration services, while others retain Exchange Server on premises because of legacy dependencies, hybrid configurations, regulatory constraints, operational preference, or acquisition history. Those environments can have complex exposure profiles, with authentication, remote access, email gateways, archiving systems, and administrative tooling wrapped around the mail platform.
CERT-FR’s active alert is not only a prompt to apply a vendor update. It is also a test of whether organisations still have an accurate view of collaboration infrastructure that may have been treated as legacy but remains business-critical. Exchange systems may be maintained by infrastructure teams, monitored by security teams, and depended on by almost every department. Divided ownership can slow response when exploitation is confirmed.
Emergency mitigations can reduce immediate exposure, but they do not remove the need to understand whether vulnerable systems were targeted before protective action was applied. Where a vendor confirms active exploitation, remediation and investigation should run together.
That response should include a review of Outlook Web Access exposure, relevant mail-server logs, authentication events, anomalous mailbox access, privilege changes, and unexpected configuration changes. Organisations also need to confirm that incident responders have access to logs that may otherwise roll over quickly. In a mail-system incident, lost evidence can become a business problem before the full technical picture is understood.
The alert also fits a wider European governance pattern. Critical software in collaboration, identity, and remote-access layers is now central to operational continuity. Regulators are increasingly focused on whether organisations understand exposure, can demonstrate remediation, and can explain decisions made during a live-risk window.
CERT-FR’s continued warning gives organisations a clear reason to re-check Exchange exposure rather than assume the platform has disappeared into the background. Mail infrastructure remains one of the most consequential parts of enterprise IT; when it is exploited, the consequences rarely stay inside the mail team.
