Exchange OWA Zero-Day CVE-2026-42897: Active Attacks, No

Exchange OWA Zero-Day CVE-2026-42897: Active Attacks, No Patch

On May 14, 2026, Microsoft disclosed CVE-2026-42897, a cross-site scripting vulnerability in Exchange Server’s Outlook Web Access that is already being exploited in the wild. There is no permanent patch. The mitigation Microsoft shipped is automatic — if you haven’t disabled the Exchange Emergency Mitigation Service. CISA added it to the Known Exploited Vulnerabilities catalog the very next day, with a compliance deadline of May 29 for federal agencies. If you run on-premises Exchange, this is your week to act.

What CVE-2026-42897 Actually Is

The vulnerability is classified as CWE-79 — improper neutralization of input during web page generation — and it lives in the OWA component of on-premises Exchange Server. An attacker sends a specially crafted email to a target. When that message is opened in Outlook Web Access and “certain interaction conditions” are met, arbitrary JavaScript executes in the victim’s browser context within the OWA origin. Exchange Online is not affected. On-premises Exchange Server 2016, 2019, and Subscription Edition RTM all are. The vulnerability was reported by an anonymous researcher, and Microsoft has not disclosed the threat actor, target scope, or campaign details behind the detected exploitation.

Microsoft rates it CVSS 8.1 (High). NVD’s own enrichment drops it to 6.1 (Medium). That scoring split reflects a genuine analytical disagreement about whether the impact scope is “changed” (NVD’s view) or “unchanged” (Microsoft’s). Do not let the lower score triage this into your backlog. CISA’s KEV placement means the question is not whether this is serious enough — it is whether you’ve applied the mitigation yet. NVD lists the vulnerability here, and Help Net Security reported active exploitation on May 15.

Why OWA XSS Is Not “Just XSS”

Security teams triage XSS findings every day. Most are low-severity stored or reflected bugs in low-value web applications. This one operates in a fundamentally different threat environment.

The delivery mechanism is native to the product. The attacker does not need to trick the victim into visiting a malicious URL or clicking a link in a comment section. The payload arrives as email — the primary data type of the application itself. The malicious content is dangerous even if the user opens no attachment and visits no external site.

The execution context carries authenticated identity. OWA is not an anonymous portal. A browser script running inside the OWA origin operates within the user’s authenticated session. That means potential access to messages, calendar entries, delegated mailboxes, directory information, and internal communications context — constrained by browser security controls and application design, but far from trivial.

The trust surface is enormous. If an attacker can render arbitrary content inside OWA, they can spoof password prompts, fabricate internal emails, modify calendar invitations, or inject persistent phishing pages inside a interface the user trusts implicitly. This is why Microsoft classified the impact as “spoofing” rather than just “information disclosure.”

The follow-on potential is real. As Penligent’s technical analysis notes, Exchange sits at the intersection of identity, communications, and Active Directory. Historical Exchange vulnerabilities — ProxyLogon, ProxyNotShell, ProxyShell — all began with seemingly contained flaws that escalated into full infrastructure compromise. CVE-2026-42897 is not the same class as those RCE chains, but it lives in the same high-value environment.

CVSS Score Disagreement: 8.1 vs 6.1

The scoring gap between Microsoft (8.1) and NVD (6.1) deserves attention because it will inevitably cause triage friction in organizations that rely on automated severity thresholds. The disagreement centers on the Scope metric in CVSS v3.1. Microsoft’s vector is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. NVD’s is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.

In plain terms, NVD believes the vulnerability’s impact “changes” scope — meaning the vulnerable component (Exchange) and the impacted component (the browser) are different trust domains. That downgrades Confidentiality and Impact to Low. Microsoft disagrees, rating both Confidentiality and Integrity as High with Scope Unchanged.

Here is the operational reality: neither score captures what matters. The right question is not whether CVSS says 6.1 or 8.1. It is whether an attacker can execute JavaScript in the browser of every employee who checks email via OWA. The answer is yes. CISA’s KEV listing confirms the operational urgency. Treat this as High and move on. Rescana’s zero-day analysis provides additional scoring context.

Mitigation: What You Should Do Right Now

Microsoft has released a temporary mitigation through two channels while a permanent security update is being developed.

Option 1: Exchange Emergency Mitigation Service (EEMS)

If EEMS is enabled — and it is by default on supported Exchange versions — the mitigation for CVE-2026-42897 was deployed automatically on May 14. Verify that the service is running and that the specific mitigation is active. If your organization disabled EEMS at any point (some did, over concerns about Microsoft pushing mitigations without explicit admin consent), re-enable it immediately and confirm the mitigation applied successfully.

Option 2: Exchange On-Premises Mitigation Tool (EOMT)

For environments where EEMS cannot be enabled, Microsoft provides the Exchange On-premises Mitigation Tool. Download and run the script from Microsoft’s official security guidance. Details are available through Help Net Security’s coverage of the mitigation steps and Microsoft’s security response channels.

Beyond Mitigation: Detection and Hardening

• Audit OWA exposure. Identify any Exchange servers exposing OWA to the internet. If OWA does not need to be externally accessible, restrict it to VPN or internal networks.
• Preserve logs. Ensure IIS logs, Exchange message tracking logs, and OWA access logs are being retained and forwarded to your SIEM. If exploitation occurred before mitigation, you need forensic evidence.
• Review authentication. If you have not already implemented MFA for OWA access, this is the week to do it. A spoofing attack inside an authenticated OWA session is harder to exploit if the session itself requires a second factor.
• Monitor for indicators. While no public IOCs exist for the specific exploitation campaign, monitor for unusual OWA session behavior: unexpected JavaScript in message bodies, atypical session tokens, or mailbox access patterns from unusual client IPs.

The Bigger Picture: On-Prem Exchange Remains a Liability

This vulnerability is yet another reminder that on-premises Exchange Server carries disproportionate operational risk. The product requires active patching, emergency mitigation services, and constant monitoring — and even then, zero-days like CVE-2026-42897 exploit the gap between disclosure and remediation. Exchange Online, which is not affected by this vulnerability, abstracts that patching burden away from the customer.

Organizations still running Exchange 2016 or 2019 should note that security updates for those versions are now only available through the Extended Security Updates program. If you are not enrolled, you will not receive the permanent fix when it ships. Dark Reading reports that the absence of a patch makes this particularly urgent for legacy deployments.

The pattern is consistent and ugly: ProxyLogon (2021), ProxyShell (2021), ProxyNotShell (2022), and now CVE-2026-42897. Each time, on-prem Exchange admins scramble to apply emergency mitigations while Microsoft prepares a patch. If your organization has a migration path to Exchange Online or an alternative mail platform, this vulnerability should accelerate that timeline. If it does not, you are betting that the next Exchange zero-day will be less severe than this one.

FAQ

Is Exchange Online affected by CVE-2026-42897?

No. Microsoft has explicitly stated that Exchange Online is not impacted. The vulnerability affects only on-premises deployments of Exchange Server 2016, 2019, and Subscription Edition RTM.

What does “certain interaction conditions” mean?

Microsoft has not specified the exact conditions required for exploitation beyond stating that the victim must open a crafted email in OWA. This likely refers to specific user interactions within the OWA interface that trigger the vulnerable code path, but without public proof-of-concept code, the precise mechanism remains undisclosed.

What happens if I do not apply the mitigation?

Your OWA users remain exposed to a vulnerability that is being actively exploited in the wild. An attacker could execute arbitrary JavaScript in the browser context of any user who views a crafted email through OWA, enabling session spoofing, credential theft, and mailbox reconnaissance. For federal agencies, CISA’s KEV deadline of May 29, 2026 is mandatory under BOD 22-01.

Will there be a permanent patch?

Yes. Microsoft has confirmed it is working on a security update for Exchange SE RTM, Exchange 2016 CU23, and Exchange Server 2019 CU14 and CU15. Updates for Exchange 2016 and 2019 will only be released to customers enrolled in the Period 2 Exchange Server ESU program. No release date has been announced.

References

• Help Net Security — Unpatched Microsoft Exchange Server vulnerability exploited (CVE-2026-42897)
• NVD — CVE-2026-42897 Detail
• Rescana — CVE-2026-42897 Zero-Day Analysis
• Penligent — CVE-2026-42897, the Exchange OWA XSS Zero-Day
• SOC Prime — CVE-2026-42897: Exchange Server OWA Spoofing Flaw Exploited via Crafted Email
• Forbes — Microsoft Confirms Active 0-Day Exploit, Check Emergency Mitigation
• Dark Reading — Microsoft Exchange Zero-Day Under Attack, No Patch Available