Microsoft has disclosed a zero-day vulnerability in Exchange Server, tracked as CVE-2026-42897, that is being actively exploited in attacks. The flaw allows attackers to conduct cross-site scripting attacks via malicious emails viewed in Outlook Web Access.
What Is CVE-2026-42897?
CVE-2026-42897 is a high-severity spoofing and cross-site scripting (XSS) vulnerability affecting Microsoft Exchange Server. The flaw exists in Outlook Web Access (OWA) and can be triggered by a specially crafted email. When a victim views or previews the malicious message in OWA, the attacker’s payload can execute within the context of the victim’s browser session.
The affected versions include:
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
- Microsoft Exchange Server SE (Subscription Edition)
How Is It Being Exploited?
The attack requires no interaction beyond the victim viewing the email in OWA. Crafted HTML content within the email body exploits insufficient input sanitisation in Exchange’s web interface, allowing attacker-controlled JavaScript to execute. This can be used to:
- Steal session cookies, potentially leading to account takeover
- Redirect users to malicious websites
- Exfiltrate data visible within the OWA session
- Perform actions on behalf of the victim within OWA
Microsoft’s Emergency Mitigation
Microsoft has deployed an automatic mitigation through the Exchange Emergency Mitigation Service (EEMS). This service can push mitigations to on-premises Exchange servers automatically when critical vulnerabilities are discovered, without requiring a full Cumulative Update.
However, administrators should be aware of known side effects of the current mitigation:
- Calendar printing functionality may fail in OWA
- Inline images may not display correctly in some email views
These are acceptable trade-offs given the severity of active exploitation, but administrators should communicate this to affected users while patches are applied.
What Should You Do?
If you run on-premises Microsoft Exchange Server, the immediate priority actions are:
- Verify EEMS is enabled — Check that the Exchange Emergency Mitigation Service is running and has received the current mitigation rule. This can be verified via the Exchange Management Shell.
- Apply the patch — Microsoft has released a security update addressing CVE-2026-42897. Apply the relevant Cumulative Update or Security Update as soon as possible.
- Monitor OWA logs — Review IIS and Exchange logs for unusual activity, particularly looking for evidence of XSS payloads in request parameters.
- Consider disabling OWA temporarily — In high-risk environments where OWA is not business-critical, temporarily disabling it until patching is complete removes the attack surface entirely.
The Bigger Picture: On-Premises Exchange Risk
Exchange Server vulnerabilities have been a persistent and significant security concern. The 2021 ProxyLogon and ProxyShell vulnerabilities led to widespread compromise of Exchange servers globally, and attackers continue to target the platform. Organisations still running on-premises Exchange should have a clear patching cadence and consider whether migrating to Exchange Online (Microsoft 365) would reduce their attack surface.
BIT Tech IT Solutions provides Exchange Server management, security patching, and migration services. If you need assistance verifying your Exchange security posture or applying this patch, contact our team.
