Microsoft has issued an urgent advisory regarding CVE-2026-42897, a high-severity spoofing and Cross-Site Scripting (XSS) zero-day vulnerability in Microsoft Exchange Server. The flaw is currently being exploited by threat actors to target Outlook on the web (OWA) users. By delivering specially crafted emails, attackers can execute arbitrary JavaScript within the victim’s browser context, potentially leading to session hijacking, data exfiltration, or unauthorized actions performed on behalf of the user.
Severity: Critical
Vulnerability Details
- CVE: CVE-2026-42897
- Weakness: CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting)
- Impact class: Spoofing (effectively client-side code execution in browser context)
- CVSS Score: 8.1
- Exploited in the wild: Yes (Microsoft assessment: “Exploitation Detected”).
- Note: This is being handled by Microsoft as an actively exploited zero-day at the time of disclosure, despite the “spoofing” label the underlying primitive is arbitrary JavaScript execution in OWA’s browser context.
- Patch Status: No permanent security update is available at disclosure. Microsoft is shipping mitigation only and will release a patch later.
- Patch Availability Forecast: Update will ship for Exchange SE RTM, 2019 CU14/CU15, 2016 CU23. Exchange SE update will be publicly available. Exchange 2016 / 2019 updates will be released only to Period 2 ESU subscribers. Period 1 ESU ended April 2026.
Affected Products (On-Premises Only)
- Microsoft Exchange Server Subscription Edition (SE) RTM
- Microsoft Exchange Server 2019 CU14 and CU15
- Microsoft Exchange Server 2016 CU23
- Not affected: Exchange Online.
Attack Vector & Exploitation Conditions
- Attacker delivers a specially crafted email to a target user.
- Trigger requires the recipient to open the email in Outlook Web Access (OWA) and meet “certain interaction conditions” (Microsoft does not detail these likely a known IOC suppression measure during active exploitation).
- On trigger, arbitrary JavaScript executes in the browser context of the authenticated OWA session.
- Probable consequences: session/token theft, mailbox content exfiltration via OWA APIs, mail-rule manipulation, phishing pivoting from a trusted internal sender.
- Outlook desktop client is not stated as a trigger surface.
Mitigation
- Option 1 (recommended): Exchange Emergency Mitigation (EM) Service enabled by default since Sept 2021, pushed automatically. Requires Exchange build from March 2023 or later to receive new mitigations.
- Option 2: For customers who are unable to use the EM Service (for example, disconnected or air-gapped environments), Microsoft recommends to download the latest version of the EOMT. Apply the mitigation on a per server base or on all servers at once by running the script via an elevated Exchange Management Shell (EMS):
- Single server: .\EOMT.ps1 -CVE “CVE-2026-42897”
- All servers: Get-ExchangeServer | Where-Object { $_.ServerRole -ne “Edge” } | .\EOMT.ps1 -CVE “CVE-2026-42897”
Source:
- https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.
