CVE-2026-42897

Overview

CVE-2026-42897 is a stored cross-site scripting vulnerability in Microsoft Exchange Server's Outlook Web Access (OWA) interface. An unauthenticated attacker can send a specially crafted email to any OWA user; when the recipient opens the email in their browser, arbitrary JavaScript executes in their authenticated OWA session. No attachment, no macro, and no action beyond opening the email is required.

Microsoft disclosed the vulnerability out-of-band on May 14, 2026 — two days after May 2026 Patch Tuesday, which included no Exchange security updates — and confirmed active exploitation in the wild at the time of disclosure. No Cumulative Update patch was available at disclosure; interim mitigation is available through the Exchange Emergency Mitigation Service (EEMS).

What Is Microsoft Exchange Server?

Microsoft Exchange Server is an on-premises email and calendaring platform used extensively across enterprise, government, and critical infrastructure environments. Organizations that have not migrated to Exchange Online (Microsoft 365) continue to run Exchange Server 2016, 2019, or the newer Subscription Edition (SE) on their own infrastructure to meet data residency, compliance, or architectural requirements.

On-premises Exchange is a high-value target for several structural reasons:

• Central email hub: Every internal and external email passes through it, making it a natural chokepoint for intelligence collection
• Authentication integration: Exchange is typically integrated with Active Directory and used by thousands of users, meaning a compromised session can pivot to other internal systems
• Persistent access: OWA is internet-facing by design, offering attackers a continuously available entry point
• Legacy exposure: Exchange 2016 and 2019 are in extended support, with large installed bases that lag on Cumulative Update cadence

Exchange OWA XSS vulnerabilities have historically been among the most operationally significant Exchange flaws — they require no user credentials to trigger and give attackers direct access to the victim's authenticated session without any malware on the endpoint.

Affected Versions

Exchange Online (Microsoft 365) is not affected. This vulnerability is limited to on-premises Exchange Server deployments.

When patches are released:

Exchange Server 2016 and 2019 entered extended support in October 2025. Security patches for these versions beyond that date are only distributed to customers enrolled in Microsoft's Extended Security Update (ESU) program. Organizations running 2016 or 2019 without ESU enrollment cannot receive the patch through normal update channels.

Technical Details

Vulnerability Class

CVE-2026-42897 is a stored XSS vulnerability — the malicious payload is embedded in an email message and persists server-side until a victim opens the email, at which point the payload executes in the victim's OWA browser session. This is more dangerous than reflected XSS (which requires tricking the victim into clicking a crafted URL) because the exploit self-delivers via ordinary email: the attacker sends a message, and any recipient who opens it in OWA is exploited.

The CVSS vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N captures this precisely:

The Scope: Unchanged classification reflects that while the JavaScript executes in the victim's browser, it does so within the existing OWA security principal — the attacker does not escape to a different security context, but gains full access to everything the OWA session can reach.

Root Cause

The vulnerability stems from improper neutralization of user-controlled input during web page generation in OWA's email rendering pipeline (CWE-79). A specially crafted email contains content that bypasses OWA's HTML sanitization and is written into the rendered page without adequate escaping or encoding. When the browser renders the OWA page, the injected script executes with the same permissions as the OWA application — the victim's authenticated session.

Microsoft has not publicly disclosed the specific OWA component, email header or field, or the exact sanitization bypass technique, in order to limit copycat exploitation. The exploitation behavior (no attachment, no special interaction beyond opening the email) is consistent with a flaw in OWA's email body rendering or a header field (such as From, Subject, or a custom MIME header) that is reflected into the page DOM without proper output encoding.

What an Attacker Can Do With OWA XSS

Once JavaScript is executing in the victim's authenticated OWA session, the attacker's code has the same access as the user:

The most operationally damaging pattern is the combination of session token exfiltration (providing persistent access beyond the current browser session) and email forwarding rule creation (providing ongoing intelligence collection without repeated exploitation).

Discovery

The vulnerability was discovered by an anonymous researcher through Microsoft's coordinated vulnerability disclosure program. Microsoft has not disclosed the researcher's name, organization, or discovery methodology.

The timing of public disclosure — two days after May 2026 Patch Tuesday, before a patch was ready — indicates either that Microsoft was notified under a short embargo (possibly due to active exploitation already being detected externally) or that active exploitation was identified by Microsoft's own threat intelligence before a fix could be prepared and coordinated through the normal monthly release cycle.

Exploitation Context

Microsoft confirmed active in-the-wild exploitation at the time of disclosure on May 14, 2026 — making this a zero-day at publication. The CISA KEV listing on May 15, 2026 confirms evidence of exploitation meeting CISA's catalog threshold.

Microsoft has not attributed exploitation to a specific threat actor or disclosed the scale, targeting patterns, or observed post-exploitation behavior. Based on the vulnerability class, the most operationally likely post-exploitation sequence is:

1. Attacker sends crafted email to targeted OWA users
2. Victim opens the email in OWA; JavaScript executes silently
3. Session token is exfiltrated to attacker infrastructure
4. Attacker replays the token for persistent email access, or creates forwarding rules for ongoing collection
5. In targeted intrusions: Active Directory credentials are harvested via a fake OWA re-authentication prompt, enabling pivot to internal systems

The out-of-band disclosure timing — after Patch Tuesday with no fix available — means organizations were exposed for an indeterminate period before they could take any vendor-recommended remediation action beyond the EEMS workaround.

Exposure context: Internet-facing OWA deployments represent tens of thousands of endpoints worldwide. Organizations in financial services, government, legal, and healthcare sectors are frequent targets of Exchange-focused campaigns due to the sensitivity of email communications.

Detection

Identifying Exposed OWA Endpoints

Any Exchange Server with OWA accessible over the internet is directly reachable for this exploit. Verify whether OWA is internet-facing:

# Check OWA virtual directory configuration
Get-OwaVirtualDirectory -Server <servername> | Select-Object Server, InternalUrl, ExternalUrl

If ExternalUrl resolves to a public IP or hostname, OWA is internet-facing. Scanning tools such as Shodan can identify externally exposed Exchange OWA endpoints (title:"Outlook Web App" or http.title:"Outlook").

EEMS Mitigation Verification

Confirm the EEMS mitigation was received and applied:

# Check EEMS status on the Exchange server
Get-ExchangeDiagnosticInfo -Server <servername> -Process EdgeTransport -Component MitigationService -Settings MitigationService

Alternatively, check the IIS URL rewrite rules applied by EEMS:

# Verify IIS URL rewrite rule was applied
Get-WebConfiguration -PSPath "IIS:\Sites\Default Web Site\OWA" -Filter "system.webServer/rewrite/rules/rule" | Select-Object name, enabled

Suspicious OWA Activity Indicators

Review Exchange OWA logs and Inbox rules for post-exploitation indicators:

# List all Inbox rules for a mailbox — look for unexpected forwarding rules
Get-InboxRule -Mailbox [email protected] | Select-Object Name, Description, ForwardTo, ForwardAsAttachmentTo, RedirectTo, Enabled

# Check for rules forwarding to external addresses
Get-InboxRule -Mailbox [email protected] | Where-Object { $_.ForwardTo -match "@" -or $_.RedirectTo -match "@" }

Review IIS logs at %ExchangeInstallPath%\Logging\HttpProxy\Owa\ for anomalous POST requests to OWA endpoints from IP addresses that differ from the user's normal login location. A successful exploit will typically show a POST to an OWA rendering endpoint followed by outbound requests to external IPs originating from the browser (visible in network-level logs or a proxy).

Email Forensics

Inspect the triggering email if a suspected exploitation event is identified:

# Search message tracking logs for emails from a specific sender
Get-MessageTrackingLog -Start (Get-Date).AddDays(-7) -Sender "[email protected]" -EventId DELIVER

Retrieve and inspect the raw email source via Exchange Management Shell or EWS for unexpected HTML content, inline <script> tags, or obfuscated JavaScript in the message body or custom MIME headers.

Remediation

Step 1 — Apply the EEMS Mitigation (Immediate)

The Exchange Emergency Mitigation Service pushes interim URL-rewrite mitigations directly to internet-connected Exchange servers. On Exchange servers with EEMS enabled (the default), the mitigation for CVE-2026-42897 was deployed automatically on May 14, 2026.

Verify EEMS is enabled and the mitigation was applied:

Get-ExchangeDiagnosticInfo -Server <servername> -Process EdgeTransport -Component MitigationService -Settings MitigationService

For disconnected environments (Exchange servers without internet access to the EEMS endpoint), apply the mitigation manually using the Exchange On-premises Mitigation Tool (EOMT):

# Download EOMT from Microsoft and run as administrator
.\EOMT.ps1

See Microsoft's EOMT documentation for the full procedure.

Known side effects of the EEMS mitigation:

• OWA Print Calendar functionality is disabled
• Inline images may not render in the OWA reading pane — users can access attachments instead

Step 2 — Apply the Vendor Patch When Released

When Microsoft releases a Cumulative Update containing the permanent fix, apply it during your next maintenance window:

Exchange 2016 and 2019 customers not enrolled in ESU should contact Microsoft licensing or their CSP to enroll before the patch is released.

Step 3 — Restrict OWA Internet Exposure (If Possible)

Where operationally feasible, restrict OWA access to VPN-authenticated connections only. This eliminates the unauthenticated network access path:

• Publish OWA through a VPN or reverse proxy that requires authentication before forwarding to the Exchange server
• Use Azure AD Application Proxy or a similar solution to require MFA before reaching OWA
• If OWA is not required externally, remove or disable the external URL binding

This is a defense-in-depth control — it does not fix the underlying vulnerability but removes the unauthenticated attacker's ability to deliver the crafted email-as-exploit without first compromising a VPN credential.

Step 4 — Audit for Post-Exploitation Indicators

Even if EEMS was applied promptly, audit for signs of exploitation that may have occurred in the window between active exploitation starting and the EEMS deployment:

1. Review OWA IIS logs for the 72 hours preceding May 14, 2026
2. Audit all Inbox rules for unexpected forwarding or redirect rules (see Detection section)
3. Review Active Directory authentication logs for OWA-connected accounts showing unusual login patterns, new device registrations, or off-hours access
4. Check Exchange audit logs for mail export or download activity
5. If Microsoft Sentinel or a SIEM is deployed, query for OWA sessions followed by rule creation events within the same session

Step 5 — Consider Migration to Exchange Online

Exchange Online (Microsoft 365) is not affected by this vulnerability. Organizations still running on-premises Exchange should evaluate the business case for migration. CVE-2026-42897 is the latest in a series of high-severity on-premises Exchange vulnerabilities (following ProxyLogon, ProxyShell, and others) that required emergency out-of-band responses. Microsoft has signaled that Exchange Server on-premises will continue to receive security updates through the SE lifecycle, but the operational burden of maintaining a secure on-premises Exchange deployment continues to grow.