One carefully crafted email. No attachment to open, no link to click — opening or previewing a crafted message in OWA may trigger execution under specific conditions. That’s CVE-2026-42897: a zero-day in Microsoft Exchange Server’s Outlook Web Access (OWA) that’s being actively exploited right now, with no permanent patch in sight.
TL;DR
- CVE-2026-42897 is an XSS vulnerability in Exchange Server’s OWA with a CVSS score of 8.1
- An attacker sends a crafted email — when the victim opens it in OWA, arbitrary JavaScript executes in their browser session
- Affects Exchange Server 2016, 2019, and Subscription Edition (SE) — Exchange Online is not impacted
- Microsoft confirmed active exploitation; CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on May 15, 2026
- No permanent patch yet — enable Exchange Emergency Mitigation Service (EM Service) or run EOMT immediately
Why This Matters
If your organization runs on-premises Exchange — and tens of thousands of organizations globally still do — this vulnerability turns your email server into an attack surface where opening or previewing a crafted email in OWA may be enough to trigger malicious JavaScript execution under the victim’s authenticated session.
This isn’t theoretical. Microsoft confirmed active exploitation on the same day they disclosed the vulnerability — May 14, 2026. CISA added CVE-2026-42897 to the Known Exploited Vulnerabilities catalog the very next day. When CISA moves that fast, so should you.
Exchange has been a high-value target for years — ProxyLogon, ProxyShell, ProxyNotShell. CVE-2026-42897 follows that pattern: the email server sits at the heart of enterprise communication, making it an attractive pivot point for espionage, business email compromise (BEC), and ransomware pre-staging.
The Vulnerability: XSS in OWA
CVE-2026-42897 is a cross-site scripting (XSS) vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) in Microsoft Exchange Server’s Outlook Web Access component.
What is OWA? Outlook Web Access is Exchange’s browser-based email client — the web interface employees use to read email from any browser, on any device, without installing Outlook. Because OWA runs in a browser, it’s subject to the same class of web vulnerabilities as any other web application.
What is XSS? Cross-site scripting occurs when a web application takes user-supplied data and reflects or stores it in a page without proper sanitization — allowing that data to be interpreted as code rather than content. Imagine writing a note that, when someone reads it, their browser treats part of it as a software instruction. That instruction then runs with the same authority as the legitimate application.
In this case, Exchange fails to properly sanitize specific email content before rendering it inside OWA. The result: JavaScript embedded in a crafted email executes within the authenticated OWA session context, inheriting all the permissions of the logged-in user.
Vulnerability At a Glance
| Property | Value |
|---|---|
| CVE ID | CVE-2026-42897 |
| CVSS Score | 8.1 (High) |
| CWE | CWE-79 – Cross-Site Scripting |
| Attack Vector | Network |
| Attack Complexity | Low |
| User Interaction | Required (opening email in OWA) |
| Privileges Required | None |
| Scope | Changed (browser context breakout) |
| Disclosure Date | May 14, 2026 |
| Reporter | Anonymous |
“User Interaction Required” here is misleading if read too optimistically. It doesn’t mean the victim must click something suspicious — it means they need to open the email. For most employees, that’s an automatic behavior dozens of times a day.
How the Attack Works
The exploit chain has few moving parts, which is exactly what makes it effective at scale.
Step 1: Crafting the Malicious Email
An attacker constructs an email containing an XSS payload embedded in HTML content that OWA processes during rendering. The specific injection point — whether an HTML attribute, a particular header, or inline styling — hasn’t been fully detailed in public disclosures, which is standard practice to prevent trivial exploitation while mitigations roll out.
What we do know: the payload is delivered via standard SMTP. No Exchange credentials, no prior foothold, no MitM required. The attacker needs a valid target email address and a path to deliver mail to the Exchange server — both trivially obtainable in most corporate environments.
Step 2: Email Delivery and Storage
The crafted email lands in the victim’s mailbox on the Exchange server. At this point, nothing has happened yet. The payload sits dormant in the mail store.
Step 3: Victim Opens Email in OWA
When the victim opens the email in a browser via OWA, Exchange retrieves the message and renders it to HTML. Due to the improper input neutralization, the malicious payload survives the rendering process and the browser executes the embedded JavaScript.
This happens invisibly. No error messages, no unexpected prompts, no visible indication that anything unusual has occurred. From the victim’s perspective, they opened an email.
Step 4: JavaScript Executes in Session Context
With JavaScript executing under the OWA domain, the attacker’s code runs with the same authority as the legitimate OWA application. This is often called session riding or authenticated action abuse: the script doesn’t need to steal cookies directly (modern authentication cookies are frequently HttpOnly, blocking direct JavaScript access), but it can make requests on behalf of the authenticated user from within the same browser context.
This enables a range of post-exploitation actions:
- Authenticated action abuse — issue OWA API requests as the victim: read, send, or delete emails, modify calendar entries, all within the same-origin session
- Mailbox exfiltration — silently read mailbox content and POST it to attacker-controlled infrastructure via a browser-side callback
- Mail rule manipulation — create forwarding rules that copy all future inbound mail to an attacker-controlled address
- Credential harvesting — inject a fake authentication dialog into OWA, capturing the victim’s password when they re-enter it
- Internal spearphishing — send emails appearing to originate from the victim’s account to other employees, escalating the attack laterally
- Reconnaissance — extract contact lists, calendar entries, and organizational data visible to the compromised session
The Microsoft advisory describes this as a “spoofing” vulnerability — language that undersells the impact. Authenticated action abuse inside a corporate mail client is a data breach waiting to be discovered.
Affected Versions
| Product | Affected |
|---|---|
| Exchange Server 2016 (all CUs) | Yes |
| Exchange Server 2019 (all CUs) | Yes |
| Exchange Server Subscription Edition (SE) | Yes |
| Exchange Online / Microsoft 365 | No |
The critical boundary: Exchange Online is not affected. This vulnerability lives entirely in on-premises Exchange infrastructure. Organizations that completed their Microsoft 365 migration can set this one aside.
For hybrid deployments — where on-prem Exchange coexists with Exchange Online for mail routing — the on-prem servers handling OWA remain vulnerable. Verify where your users actually authenticate to OWA.
Active Exploitation: What We Know
Microsoft disclosed CVE-2026-42897 on May 14, 2026, and confirmed simultaneous active exploitation. This is the worst-case disclosure scenario: defenders start with zero lead time.
CISA responded by adding CVE-2026-42897 to the Known Exploited Vulnerabilities catalog on May 15 — 24 hours after disclosure. Under Binding Operational Directive 22-01, federal agencies have 21 days to remediate. That deadline signals urgency the private sector should mirror.
Public attribution for the active exploitation remains unconfirmed. The attack profile — email-borne, targeting enterprise communication infrastructure, no prior access required — fits both financially motivated actors running BEC campaigns and nation-state groups with persistent email access as an intelligence collection objective.
Historically, Exchange zero-days draw fast-moving threat actors. ProxyShell was weaponized by multiple ransomware groups within weeks of PoC publication. CVE-2026-42897 should be treated with equivalent urgency.
MITRE ATT&CK Mapping
| Tactic | Technique | Description |
|---|---|---|
| Initial Access | T1566 – Phishing | Crafted email delivers the XSS payload to the target mailbox |
| Execution | T1059.007 – JavaScript | XSS payload executes arbitrary JavaScript in the OWA browser context |
| Credential Access | T1185 – Browser Session Hijacking | Authenticated session abused via same-origin JavaScript; direct cookie theft limited by HttpOnly flags, but in-session action abuse is still possible |
| Collection | T1114 – Email Collection | Mailbox content silently read and exfiltrated via in-session OWA API calls |
| Collection | T1114.003 – Email Forwarding Rule | Attacker-created forwarding rules copy inbound mail to an external address |
Detection
Exploiting CVE-2026-42897 leaves traces across multiple log sources. Detection requires correlation — no single indicator is conclusive on its own.
IIS and Exchange Logs
OWA runs on IIS, but note a key limitation: the XSS payload is delivered in the email body, not in a URL parameter. IIS access logs capture request paths and query strings — they won’t contain the message content where the payload lives. IIS logs are still useful for spotting anomalous OWA request patterns (unusual endpoints, unexpected HTTP error codes, high-frequency access to specific message IDs), but they should not be your primary detection layer for payload identification.
Exchange Message Tracking
Identify the delivery of the crafted email by correlating message tracking logs with the incident timeline. Focus on external senders and messages with HTML content-type that arrived before unusual OWA session activity.
# Pull message tracking for external senders around the incident windowGet-MessageTrackingLog -Start "2026-05-14 00:00" -End "2026-05-16 23:59" ` -EventId "RECEIVE" | Where-Object { $_.Sender -notlike "*@yourdomain.com" }Endpoint and Proxy Telemetry (Primary Detection Layer)
With XSS, the callback originates from the victim’s browser on their workstation, not from the Exchange server itself. Focus your network monitoring on endpoint and proxy telemetry:
- HTTP/HTTPS requests from user workstations to unknown external destinations shortly after OWA sessions
- DNS queries for unfamiliar domains triggered from browser processes following OWA email access
- Web proxy logs showing unusual POST requests from OWA sessions to external IPs
- Browser-sourced connections to newly registered or low-reputation domains correlated with OWA activity timestamps
EM Service Mitigation Verification
If EM Service is active, confirm that Mitigation M2 (URL Rewrite) has been applied:
# Verify applied mitigations on your Exchange serverGet-ExchangeDiagnosticInfo -Server <YourExchangeServer> ` -Process MSExchangeHMWorker ` -Component VariantConfiguration ` -Probe StandbyLook for M2 in the returned mitigation list. If it’s absent, the protection has not been applied.
Mailbox Forwarding Rule Auditing
After any suspected exploitation, audit all mailboxes for unexpected forwarding rules — a common attacker persistence mechanism:
# Audit forwarding rules across all mailboxesGet-Mailbox -ResultSize Unlimited | Get-InboxRule | Where-Object { $_.ForwardTo -ne $null -or $_.RedirectTo -ne $null } | Select-Object MailboxOwnerID, Name, ForwardTo, RedirectToMitigation: Act Now
No permanent patch exists as of May 16, 2026. Microsoft’s guidance centers on two immediate mitigation paths.
Option 1: Exchange Emergency Mitigation Service (Recommended)
EM Service is Microsoft’s built-in mechanism for deploying emergency mitigations to on-prem Exchange servers without a full patch cycle. It’s enabled by default on supported, up-to-date Exchange 2016, 2019, and SE installations — but servers running unsupported cumulative update levels may not have it in a functional state. Verify before assuming it’s active. When properly configured, EM Service automatically downloads and applies a URL Rewrite rule (Mitigation M2) that blocks the vulnerable request patterns for CVE-2026-42897.
Verify EM Service is enabled:
Get-ExchangeDiagnosticInfo -Server <ExchangeServer> ` -Process MSExchangeHMWorker ` -Component VariantConfiguration ` -Probe StandbyEnable if disabled:
Enable-ExchangeMitigationService -Server <ExchangeServer>After enabling, allow up to 30 minutes for the service to download and apply the mitigation automatically. Internet connectivity from the Exchange server to Microsoft’s mitigation endpoint is required.
Option 2: Exchange On-Premises Mitigation Tool (Air-Gapped Environments)
For Exchange servers without internet access, Microsoft provides the Exchange On-Premises Mitigation Tool (EOMT). Download it from an internet-connected machine, transfer it to the Exchange server, and run:
.\EOMT.ps1EOMT applies the same URL Rewrite mitigation as EM Service without requiring outbound connectivity.
Supplementary Hardening
| Action | Priority |
|---|---|
| Restrict OWA access to VPN / known IP ranges | High |
| Enable MFA on all OWA-accessible accounts | High |
| Audit all mailbox forwarding rules immediately | High |
| Block Exchange server outbound to unexpected destinations | Medium |
| Review OWA session logs for anomalous activity | Medium |
| Disable OWA for high-value accounts if not business-critical | Medium |
Disabling OWA globally is operationally disruptive and shouldn’t be the first step — EM Service applied correctly closes the attack surface. But if you cannot apply the mitigation immediately and OWA is exposed to the internet, taking it offline temporarily is a reasonable short-term choice.
What Comes Next
Microsoft is preparing a permanent security update. Given the CISA KEV classification and confirmed active exploitation, Microsoft may issue an out-of-band release rather than waiting for the standard Patch Tuesday cycle. Monitor the Microsoft Security Update Guide and the Exchange Team Blog for release timing.
When the patch drops: test in a staging environment first — Exchange updates have a history of requiring careful rollout — but prioritize speed over completeness. The threat is active now.
The pattern here — a zero-day targeting Exchange at the mail rendering layer, enabling silent session hijacking — won’t be the last of its kind. OWA’s complexity makes it a persistent attack surface. If your organization is still running on-prem Exchange, this should accelerate the conversation about cloud migration timelines or, at minimum, tighter network-level access controls around OWA.
Related Posts
- XSS: Cross-Site Scripting Complete Guide — The mechanics behind the vulnerability class driving CVE-2026-42897
- Phishing Email Analysis: Security Decoder — How to analyze crafted emails like those exploiting this flaw
- Vulnerability Exploitation Overtook Phishing: A Defender’s Guide — Why CVE-based initial access has become the dominant enterprise threat vector
Sources
- Microsoft Community Hub: Addressing Exchange Server May 2026 vulnerability CVE-2026-42897
- CISA: Known Exploited Vulnerabilities — CVE-2026-42897 Addition
- The Hacker News: On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email
- BleepingComputer: Microsoft warns of Exchange zero-day flaw exploited in attacks
- Security Affairs: CVE-2026-42897 — Microsoft confirms active exploitation
- Help Net Security: Unpatched Microsoft Exchange Server vulnerability exploited
- SOC Prime: CVE-2026-42897 Exchange Server OWA Spoofing Flaw Analysis
- SecurityWeek: Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild
- Infosecurity Magazine: Microsoft Reports Severe Zero-Day Flaw in On-Prem Exchange Servers
- Canadian Centre for Cyber Security: Microsoft Security Advisory AV26-473