CVE-2026-42897: Unpatched Exchange OWA Zero-Day and How to Mitigate It

CVE-2026-42897: the unpatched Exchange zero-day you need to mitigate now

Microsoft is dealing with an actively exploited Exchange Server zero-day with no patch currently available. If you run on‑premises Exchange and expose Outlook Web Access (OWA), you need to treat this as a priority incident, not a routine vulnerability.

---

What happened

On May 14, 2026, Microsoft disclosed CVE-2026-42897, a cross-site scripting (XSS) and spoofing vulnerability in Exchange Server Outlook Web Access (OWA).

Key points:

• Disclosure date: 2026-05-14, 48 hours after May Patch Tuesday
• Vulnerability type: XSS + spoofing in OWA
• Exploitation status: Active exploitation confirmed by Microsoft
• Affected products:
  • Exchange Server Subscription Edition (SE)
  • Exchange Server 2016
  • Exchange Server 2019

The attack chain

The attack flow is intentionally minimal:

1. An attacker sends a specially crafted email to a user hosted on an affected Exchange Server.
2. When OWA processes or renders that email, the XSS payload executes in the user’s browser session.
3. The user does not need to click a malicious link or be redirected to a separate site. Opening or even previewing the email in OWA is enough.

Because the payload runs in the context of the victim’s OWA session, an attacker can:

• Steal or replay session cookies
• Perform actions as the user (e.g., send mail, set forwarding rules, access other mailboxes if delegated)
• Potentially pivot to internal applications reachable from the user’s browser

Every mailbox accessible via OWA on an affected server is a potential target.

---

Why this is harder to dismiss than a typical XSS

XSS in web apps is often dismissed as a medium-severity issue because it usually requires:

• Tricking a user into clicking a link
• Redirecting them to a malicious page
• Or some other visible interaction

CVE-2026-42897 is different:

• No external link required – the vector is a normal email.
• No complex social engineering – users just do what they always do: read email in OWA.
• High target density – every OWA user is in scope.

Combined with confirmed in-the-wild exploitation, this moves the risk from theoretical to operational. Someone is using this right now against real organizations.

Implications:

• Treat this as a probable account compromise vector, not a cosmetic bug.
• Assume that high-value mailboxes (admins, finance, executives, incident responders) are priority targets.

---

What Microsoft has done

Microsoft has not yet released a full patch for CVE-2026-42897. Instead, they have deployed a server-side mitigation using the Exchange Emergency Mitigation Service (EMES).

What is EMES?

The Exchange Emergency Mitigation Service is built into:

• Exchange Server 2016
• Exchange Server 2019
• Exchange Server Subscription Edition (SE)

When enabled, EMES can:

• Automatically pull mitigation configurations from Microsoft
• Apply server-side rules or filters to block or neutralize active exploits
• Do this without waiting for a full CU/SU patch cycle

For CVE-2026-42897, Microsoft pushed a mitigation package in June 2026 that:

• Adjusts how OWA handles or sanitizes malicious email content
• Reduces or blocks the exploitability of the XSS payload

What you must verify

You should not assume EMES is working. You need to confirm:

1. EMES is enabled and running on each Exchange server.
2. The June 2026 mitigation for CVE-2026-42897 is actually applied.

You can check EMES status via:

• Exchange Admin Center (EAC) – look for the Emergency Mitigation status
• PowerShell – query the service and mitigation configuration

If EMES is disabled, misconfigured, or blocked by outbound network controls, your servers may be fully exposed.

---

Manual mitigation for servers without EMES

If you run on‑premises Exchange and do not have EMES enabled, you must:

1. Enable EMES where possible or
2. Apply the manual mitigations from Microsoft’s official advisory immediately

Microsoft’s advisory includes specific steps (e.g., configuration changes, URL rewrite rules, or filtering logic) to reduce exploitability. Follow those before you wait for a full patch or schedule a maintenance window.

Because this is an OWA-based exploit, consider tightening exposure:

• Restrict OWA to VPN-only or trusted networks.
• If your risk tolerance allows, temporarily block external OWA access until you:
  • Confirm EMES mitigation is applied, or
  • Complete manual mitigation.

---

What to do right now (priority checklist)

1. Inventory your Exchange servers
   • Identify all instances of:
     • Exchange Server SE
     • Exchange Server 2016
     • Exchange Server 2019
   • Confirm which ones expose OWA to the internet or remote users.
2. Verify EMES status on each server
   • Confirm EMES is installed, enabled, and running.
   • Confirm it has successfully retrieved and applied the June 2026 mitigation for CVE-2026-42897.
3. If EMES is not enabled or not working
   • Immediately apply the manual mitigations from Microsoft’s advisory.
   • Ensure any required IIS / URL Rewrite / configuration changes are deployed to all Client Access roles.
4. Harden OWA exposure
   • If feasible, limit OWA to:
     • VPN users
     • Specific IP ranges
     • Or temporarily disable external OWA access.
5. Monitor and hunt for abuse
   • Review OWA access logs for:
     • Unusual login patterns
     • Suspicious IPs or geolocations
     • Abnormal session durations or user agents
   • Look for suspicious mailbox activity:
     • New or modified inbox rules (especially forwarding rules)
     • Unusual Send-As or Send-on-Behalf activity
     • Access to shared or delegated mailboxes outside normal patterns
6. Prepare for the patch
   • Track Microsoft’s advisory for the upcoming security update.
   • Plan a fast-track deployment of the patch once released.
   • Keep EMES enabled even after patching, as it will be relevant for future zero-days.

---

Risk framing for leadership

When explaining this to non-technical stakeholders, emphasize:

• This is an actively exploited zero-day in a core communication system.
• The attack requires minimal user interaction – just reading email in OWA.
• The current protection is a mitigation, not a full fix.
• The impact includes potential account takeover, data exposure, and lateral movement.

Your message should be:

• We have a temporary shield (EMES/manual mitigation), not armor.
• We are monitoring for abuse and preparing to deploy the patch as soon as it’s available.

---

Summary

• CVE-2026-42897 is a zero-day XSS and spoofing vulnerability in Exchange OWA, with active exploitation and no patch yet.
• Microsoft has shipped a server-side mitigation via EMES for Exchange SE, 2016, and 2019.
• If EMES is enabled and the June 2026 mitigation is applied, you have the currently available protection.
• If EMES is not enabled, you must apply manual mitigations from Microsoft immediately and consider restricting or temporarily blocking OWA.
• Continue to monitor logs, hunt for suspicious mailbox activity, and be ready to deploy the official patch as soon as it is released.

Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you want to talk through your Exchange exposure and response strategy.