
Exchange Emergency Mitigation Service
Microsoft's auto-applied URL-rewrite mitigation framework for Exchange Server, used as the sole remediation for CVE-2026-42897 with documented side effects to calendar, Light mode, and inline images.
Last refreshed: 20 May 2026 · Appears in 1 active topic
EEMS is the only fix for an actively exploited Exchange zero-day; does it actually satisfy CISA's 29 May deadline?
Timeline for Exchange Emergency Mitigation Service
Mentioned in: 200 fixes, six zero-days, late Exchange
Cybersecurity: Threats and DefencesApplied a URL-rewrite rule to mitigate CVE-2026-42897 with documented side effects to OWA calendar, Light mode, and inline images
Cybersecurity: Threats and Defences: Exchange repeats the CISA deadline-before-patch trapWhat is the Exchange Emergency Mitigation Service and how does it work?
Does the EEMS mitigation for CVE-2026-42897 satisfy CISA's 29 May deadline?
What breaks when you enable the EEMS workaround for the Exchange OWA vulnerability?
Background
The Exchange Emergency Mitigation Service (EEMS) is Microsoft's mechanism for deploying security mitigations to on-premises Exchange Server installations without requiring a full code patch. It operates by downloading signed mitigation packages from Microsoft's Office Config Service via HTTPS, applying URL-rewrite rules or disabling vulnerable features via PowerShell on the local IIS installation. In May 2026, EEMS became the sole sanctioned control for CVE-2026-42897, the OWA cross-site scripting zero-day added to CISA's KEV catalogue on 15 May with a 29 May federal Deadline. The specific EEMS rule for CVE-2026-42897 applies a URL-rewrite filter to OWA requests; documented side effects include OWA calendar print failure, broken OWA Light mode, and inline-image rendering failures. EEMS is enabled by default on Exchange Server 2016, 2019, and Subscription Edition.
Microsoft introduced EEMS in 2021 following the ProxyLogon mass-exploitation event, specifically to allow emergency mitigation faster than the traditional monthly patch cycle. Each mitigation is a signed XML descriptor that the service applies automatically, giving Microsoft the ability to push a URL-rewrite or feature-disable rule within hours of a vulnerability being weaponised. The mechanism requires internet connectivity to Microsoft's configuration endpoint, creating a dependency some air-gapped or high-security environments cannot satisfy.
EEMS creates a structural tension with BOD 22-01's binary remediation model. The directive treats "mitigated" and "patched" as distinct states, and CISA's 29 May Deadline for CVE-2026-42897 nominally requires a patch that does not exist. In practice, EEMS mitigation is the best available response, but it does not satisfy the directive as written. Security teams applying EEMS must document the side effects, confirm the mitigation is active, and supplement it with session-token rotation and mailbox-rule monitoring to achieve the closest approximation of BOD 22-01 compliance. This is the second time in twelve days CISA has imposed a federal Deadline that EEMS-class mitigations, rather than patches, must bridge.