ProductUS

Exchange Emergency Mitigation Service

Microsoft's auto-applied URL-rewrite mitigation framework for Exchange Server, used as the sole remediation for CVE-2026-42897 with documented side effects to calendar, Light mode, and inline images.

Last refreshed: 20 May 2026 · Appears in 1 active topic

Key Question

EEMS is the only fix for an actively exploited Exchange zero-day; does it actually satisfy CISA's 29 May deadline?

Timeline for Exchange Emergency Mitigation Service

#415 May

Applied a URL-rewrite rule to mitigate CVE-2026-42897 with documented side effects to OWA calendar, Light mode, and inline images

Cybersecurity: Threats and Defences: Exchange repeats the CISA deadline-before-patch trap

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is the Exchange Emergency Mitigation Service and how does it work?: EEMS is Microsoft's mechanism for pushing signed security mitigations to on-premises Exchange Server without a full patch. It applies URL-rewrite rules or disables features via PowerShell on the local IIS server, downloading instructions from Microsoft's Office Config Service.Source: Microsoft
Does the EEMS mitigation for CVE-2026-42897 satisfy CISA's 29 May deadline?: Not technically. BOD 22-01 requires patching; EEMS provides mitigation only. CISA has not amended the directive text to recognise mitigation as a compliant state, so federal agencies must document EEMS as the best available response while awaiting a patch.Source: CISA BOD 22-01
What breaks when you enable the EEMS workaround for the Exchange OWA vulnerability?: The EEMS URL-rewrite rule for CVE-2026-42897 breaks OWA calendar printing, may prevent inline images from rendering, and breaks OWA Light mode entirely.Source: Microsoft Security Response Center
Can EEMS be used in air-gapped environments to protect Exchange?: EEMS requires HTTPS connectivity to Microsoft's Office Config Service to download mitigation packages. Air-gapped Exchange deployments cannot use automatic EEMS delivery and must apply mitigations manually.Source: Microsoft
Why did Microsoft create EEMS after ProxyLogon?: ProxyLogon in 2021 showed that mass exploitation could begin before Microsoft's monthly patch cycle delivered a fix. EEMS was created to allow emergency URL-rewrite and feature-disable mitigations to be pushed within hours of a vulnerability being weaponised, outside the Patch Tuesday schedule.Source: Microsoft

Background

The Exchange Emergency Mitigation Service (EEMS) is Microsoft's mechanism for deploying security mitigations to on-premises Exchange Server installations without requiring a full code patch. It operates by downloading signed mitigation packages from Microsoft's Office Config Service via HTTPS, applying URL-rewrite rules or disabling vulnerable features via PowerShell on the local IIS installation. In May 2026, EEMS became the sole sanctioned control for CVE-2026-42897, the OWA cross-site scripting zero-day added to CISA's KEV catalogue on 15 May with a 29 May federal deadline. The specific EEMS rule for CVE-2026-42897 applies a URL-rewrite filter to OWA requests; documented side effects include OWA calendar print failure, broken OWA Light mode, and inline-image rendering failures. EEMS is enabled by default on Exchange Server 2016, 2019, and Subscription Edition.

Microsoft introduced EEMS in 2021 following the ProxyLogon mass-exploitation event, specifically to allow emergency mitigation faster than the traditional monthly patch cycle. Each mitigation is a signed XML descriptor that the service applies automatically, giving Microsoft the ability to push a URL-rewrite or feature-disable rule within hours of a vulnerability being weaponised. The mechanism requires internet connectivity to Microsoft's configuration endpoint, creating a dependency some air-gapped or high-security environments cannot satisfy.

EEMS creates a structural tension with BOD 22-01's binary remediation model. The directive treats "mitigated" and "patched" as distinct states, and CISA's 29 May deadline for CVE-2026-42897 nominally requires a patch that does not exist. In practice, EEMS mitigation is the best available response, but it does not satisfy the directive as written. Security teams applying EEMS must document the side effects, confirm the mitigation is active, and supplement it with session-token rotation and mailbox-rule monitoring to achieve the closest approximation of BOD 22-01 compliance. This is the second time in twelve days CISA has imposed a federal deadline that EEMS-class mitigations, rather than patches, must bridge.

Source Material

CISA Known Exploited Vulnerabilities Catalogue Exchange Server zero-day CVE-2026-42897 exploited; no patch, EEMS mitigation only

Loading map…

Regulatory

Exchange Emergency Mitigation Service's Activity Mapped

Quick Facts

Full nameExchange Emergency Mitigation Service (EEMS)

Introduced2021 (post-ProxyLogon)

MechanismSigned URL-rewrite / feature-disable rules via PowerShell on IIS

Connectivity requiredHTTPS to Microsoft Office Config Service

Default stateOn (Exchange 2016, 2019, Subscription Edition)

CVE-2026-42897 side effectsCalendar print broken; OWA Light mode broken; inline images may fail

BOD 22-01 statusMitigation only — does not satisfy patch requirement as written

Air-gapped compatibilityLimited — requires internet access to Microsoft config endpoint

How the World Sees Them

US federal agencies

EEMS is the only documented mitigation for CVE-2026-42897 before the 29 May BOD 22-01 deadline; agencies must supplement it with session-token rotation and mailbox-rule monitoring to approximate compliance.

Air-gapped operators

EEMS's internet-connectivity dependency excludes classified or high-security environments; manual IIS URL-rewrite rules are the only path without external access to Microsoft's config endpoint.

Enterprise security teams

EEMS trades active exploitation exposure for user-experience degradation; the side effects (broken calendar, broken Light mode) must be communicated to end users before deployment.