A critical cross-site scripting vulnerability in Microsoft Exchange Server’s Outlook Web Access is being actively exploited in the wild, and CISA is now demanding that federal agencies remediate by May 29, 2026.
Tracked as CVE-2026-42897, the flaw enables unauthorized attackers to silently execute arbitrary JavaScript in a victim’s browser, requiring nothing more than opening a specially crafted email.
Microsoft publicly disclosed CVE-2026-42897 on May 14, 2026, crediting an anonymous security researcher for responsibly reporting the issue.
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a well-known cross-site scripting weakness that has historically served as a gateway to credential theft, session hijacking, and lateral network movement.
At its core, the vulnerability lives inside the web page generation logic of Outlook Web Access (OWA), the browser-based email interface used by millions of enterprise users on on-premises Exchange deployments.
According to Microsoft’s advisory, “Improper neutralization of input during web page generation (‘cross-site scripting’) in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network”.
Critically, this attack requires no authentication and can be launched remotely over a network, dramatically lowering the bar for exploitation.
CVE-2026-42897: Microsoft Exchange XSS Vulnerability
Unlike traditional server-side exploits that require a foothold on the target machine, CVE-2026-42897 is deceptively email-native. The attacker sends a specially crafted email message to an Exchange user.
when the victim opens that message in Outlook Web Access under certain browser conditions, the attacker-controlled JavaScript executes silently in the victim’s browser session. The payload is embedded within the email content itself; there is no dropped binary, no server-side implant, and no need to exploit a separate authentication layer.
This email-as-payload delivery model is particularly dangerous because it bypasses many traditional endpoint defenses and exposes the attack surface squarely within the browser, where session tokens, cookies, and user credentials are stored.
Security researchers at LinkedIn noted that “a spoofing flaw that executes arbitrary JavaScript through Outlook Web Access is not just a mail server problem, it is an identity and session hijacking vector waiting to be chained into lateral movement”.
This chaining potential from XSS to session theft to privilege escalation makes CVE-2026-42897 a meaningful risk even without a confirmed ransomware campaign attribution.
Affected Versions
The vulnerability impacts the following on-premises Exchange Server versions:
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
- Microsoft Exchange Server Subscription Edition (SE)
Exchange Online is not affected. Organizations exclusively using Microsoft 365 cloud-hosted email are not exposed to this vulnerability. However, hybrid deployments that route email through on-premises Exchange infrastructure should treat this as a high-priority remediation item, particularly if OWA is internet-facing.
The CVSS score for CVE-2026-42897 has been reported at both 8.1 (SOC Prime / The Hacker News) and 6.1 (Feedly/Patch Tuesday analysis), reflecting differences in scoring methodology.
Regardless of scoring variation, CISA’s decision to add this flaw to the Known Exploited Vulnerabilities (KEV) Catalog on May 15, 2026, confirms that real-world exploitation is occurring and that the threat is not theoretical.
CISA added CVE-2026-42897 to its KEV Catalog with a due date of May 29, 2026, requiring all Federal Civilian Executive Branch (FCEB) agencies to apply mitigations within that two-week window.
Per Binding Operational Directive (BOD) 22-01, federal agencies must either apply vendor-specified mitigations, follow BOD 22-01 guidance for cloud services, or discontinue use of the affected product if no mitigations are available.
Although BOD 22-01 is legally binding only for federal agencies, CISA strongly encourages all private sector organizations and critical infrastructure operators to treat KEV entries with the same urgency.
Mitigation
Microsoft has not yet released a permanent patch for CVE-2026-42897. Instead, the company recommends the following interim measures:
- Enable the Exchange Emergency Mitigation Service (EEMS) – This service (identified as mitigation rule M2) automatically applies a URL Rewrite configuration via IIS to block the known attack vector. It is enabled by default on supported on-premises Exchange versions but may have been disabled by administrators.
- Deploy the Exchange On-Premises Mitigation Tool (EOMT) – For air-gapped or isolated environments where EEMS cannot reach Microsoft update infrastructure, the EOMT can apply CVE-specific mitigations manually per server or across the fleet via the Exchange Management Shell.
- Audit OWA exposure – Inventory all on-premises Exchange systems with internet-facing access, confirm successful mitigation has been applied, and reduce external OWA access where not operationally required until the permanent fix is released.
- Pull and review OWA access logs – Security teams should analyze OWA logs from at least the previous 72 hours to hunt for suspicious JavaScript payloads or anomalous browser interaction patterns that may indicate pre-mitigation exploitation.
| IOC Type | Detail | Notes |
|---|---|---|
| Vulnerability ID | CVE-2026-42897 | CWE-79 – Stored/Reflected XSS |
| CVSS Score | 8.1 / 6.1 | Varies by scoring authority |
| Attack Vector | Network (No Auth Required) | Email-based delivery via OWA |
| Target Component | Outlook Web Access (OWA) | On-premises Exchange only |
| KEV Added | May 15, 2026 | CISA Catalog |
| Remediation Deadline | May 29, 2026 | FCEB agencies under BOD 22-01 |
| Mitigation Rule | M2 (URL Rewrite via EEMS) | Temporary – permanent patch pending |
FAQ
Q1: What exactly is CVE-2026-42897?
It is a cross-site scripting (XSS) vulnerability in Microsoft Exchange Server that allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim’s browser via a malicious email opened in Outlook Web Access.
Q2: Does this affect Microsoft 365 or Exchange Online users?
No, Exchange Online and Microsoft 365 cloud-hosted email are confirmed to be unaffected; only on-premises Exchange Server 2016, 2019, and Subscription Edition installations are at risk.
Q3: Is there a permanent patch available yet?
Microsoft has not yet released a full security update; administrators must apply the emergency mitigation via the Exchange Emergency Mitigation Service (EEMS) or the Exchange On-Premises Mitigation Tool (EOMT) until a patch is issued.
Q4: How do I verify if my Exchange server is already protected?
Confirm the Exchange Emergency Mitigation Service Windows service is running, verify mitigation rule M2 is active in the IIS URL Rewrite configuration, and review OWA access logs for suspicious pre-mitigation activity.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
