CVE-2026-42897 — Microsoft Exchange Server OWA XSS Vulnerability

Overview

Microsoft has confirmed active exploitation of CVE-2026-42897, a Cross-Site Scripting vulnerability in Microsoft Exchange Server carrying a CVSS score of 8.1.The flaw stems from improper neutralization of input during web page generation in Microsoft Exchange Server, allowing an unauthorized attacker to perform spoofing over a network.

Affected Products

CVE-2026-42897 affects on-premises versions of Microsoft Exchange Server: Subscription Edition RTM, 2019, and 2016. Exchange Online is not affected.

Period 1 ESU customers are also out of scope — that ESU program ended in April 2026.

Vulnerability Details

An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.

Microsoft tagged the vulnerability with an “Exploitation Detected” assessment. There are currently no public details on how the vulnerability is being exploited in the wild, the identity of the threat actor behind the activity, or the scale of such efforts. It is also unclear who the targets are and whether any of those attacks were successful.

An anonymous researcher has been credited with discovering and reporting the issue.

Exploitation Mechanics

The attack chain is straightforward:

1. Attacker crafts a malicious email with embedded payload targeting OWA’s input rendering
2. Email is delivered to victim’s Exchange mailbox
3. Victim opens the email via Outlook Web Access (browser-based client)
4. Interaction conditions are met — arbitrary JavaScript executes in the OWA browser session
5. From there, session tokens, credential harvesting, phishing amplification, or user-context actions become viable

If malicious JavaScript can run in the OWA browser context, the risk moves beyond an ugly message rendering bug and into the realm of session manipulation, content access, phishing amplification, or user-context actions depending on the exact constraints of the vulnerability.

Mitigation — No Permanent Patch Available Yet

There is no permanent Exchange security update available yet for CVE-2026-42897. Microsoft says it is working on one and will release it later for affected supported paths.

Option 1 — Exchange Emergency Mitigation Service (EEMS)

For customers who have the Exchange EM Service enabled, Microsoft released the automatic mitigation for Exchange Server 2016, 2019, and SE. The mitigation is already published and is enabled automatically. EM Service was released in September 2021 and is enabled by default.

To verify mitigation is applied, look for mitigation ID M2.1.x in your EEMS check. You can run the Exchange Health Checker script at https://aka.ms/ExchangeHealthChecker to confirm status.

Option 2 — Exchange On-Premises Mitigation Tool (EOMT)

For all servers (excluding Edge role), run the following from an elevated Exchange Management Shell:

Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"

This option applies to disconnected or air-gapped environments where EEMS cannot reach the internet.

Known Issues Post-Mitigation

OWA Print Calendar functionality might not work — as a workaround, copy the data or screenshot the calendar, or use Outlook Desktop client. Inline images might not display correctly in the recipient’s OWA reading pane — as a workaround, send images as attachments or use the Desktop client. OWA light (URL ending in /?layout=light) does not work properly, though this feature has been deprecated for years and is not intended for regular production use.

There is also a known cosmetic issue where the mitigation shows “Mitigation invalid for this exchange version” in the description field — the mitigation does apply successfully if the status shows “Applied.”.

Detection & Response

• Check EEMS logs at %ExchangeInstallPath%\Logging\EmergencyMitigation\ for entries confirming CVE-2026-42897-M2 applied
• Hunt OWA access logs for anomalous JavaScript execution patterns or unexpected authenticated actions post-email-open
• Monitor for lateral movement or credential harvesting events following OWA sessions
• Alert on unusual outbound connections from Exchange servers

Recommended Actions

1. Immediately verify EEMS is enabled on all on-premises Exchange servers
2. Confirm Mitigation M2.1.x is applied — do not assume; check the status explicitly
3. Run EOMT manually for any server where EEMS is disabled or internet access is restricted
4. Enable EEMS on any server where it is currently off — the risk of not doing so outweighs change management overhead
5. Monitor for permanent patch release via Microsoft MSRC and apply immediately upon availability
6. Restrict OWA access at the perimeter where operationally feasible until the permanent fix lands