Exchange Zero‑Day CVE‑2026‑42897: What On‑Prem Admins Need to Know

Microsoft disclosed CVE‑2026‑42897 on May 14, 2026, warning that the flaw is already being exploited in the wild against organizations running on‑premises Microsoft Exchange Server. The vulnerability affects the Outlook on the web (OWA) component and allows attackers to exploit a cross‑site scripting (XSS) weakness that can lead to spoofing and potentially malicious actions inside a victim’s browser session.

For organizations operating Exchange infrastructure locally, the risk is immediate: there is active exploitation, and at the time of reporting Microsoft has provided temporary mitigations rather than a permanent security update.

What CVE‑2026‑42897 Is

CVE‑2026‑42897 is caused by improper neutralization of input during web page generation, a classic cross‑site scripting flaw. In Exchange Server, this weakness appears in the Outlook Web Access interface, allowing an attacker to inject content that executes in a user’s browser.

Microsoft classifies the issue as a spoofing vulnerability, meaning attackers can manipulate the user interface or session context of Outlook on the web.

Security tracking databases rate the issue as high severity (CVSS 8.1), reflecting the ability to exploit it remotely with minimal prerequisites beyond user interaction.

How the OWA Attack Works

The attack chain relies on social engineering and malicious email content.

1. An attacker sends a specially crafted email to a target organization.
2. The victim opens the message using Outlook on the web (OWA).
3. Due to improper input handling in the OWA interface, attacker‑controlled content is rendered in a way that allows JavaScript execution inside the victim’s browser session.

Once executed, the script runs within the context of the authenticated OWA session. Depending on the scenario, this can allow attackers to:

• Spoof interface elements or communications
• Perform actions within the user’s web session
• Potentially send or manipulate data within the victim’s mailbox context

Public advisories intentionally avoid publishing detailed exploit code, but security reports confirm that the flaw is already being exploited in real‑world attacks.

Affected Exchange Versions

Current reports identify the following on‑premises Exchange Server versions as affected:

• Microsoft Exchange Server 2016
• Microsoft Exchange Server 2019
• Microsoft Exchange Server Subscription Edition (SE)

These are server products that organizations deploy and manage themselves, typically exposing Outlook on the web to internal users or remote access.

Why Exchange Online Is Not Impacted

Available advisories consistently describe the vulnerability as affecting on‑premises Exchange Server installations, not the Microsoft‑managed cloud service.

Exchange Online differs in two important ways:

• The infrastructure is operated and patched directly by Microsoft.
• Security controls and service updates are applied centrally rather than by customers.

Because of this managed environment, the issue is reported as specific to self‑hosted Exchange servers and their OWA components, not the Microsoft 365 cloud platform.

Microsoft’s Temporary Mitigations

Until a permanent patch is released, Microsoft has published temporary protections through the Exchange Emergency Mitigation Service (EEMS).

EEMS can automatically deploy mitigations to supported Exchange servers. For CVE‑2026‑42897, Microsoft released an automated mitigation identified with IDs in the M2.1.x range, which should apply automatically on servers where the service is enabled.

Organizations using EEMS should confirm the mitigation has been downloaded and applied successfully.

Manual Mitigation Options

Not every environment uses or allows automatic mitigations. For example:

• disconnected or air‑gapped networks
• environments where EEMS is disabled

In those cases, Microsoft provides a manual mitigation path using Exchange mitigation tools and documented procedures to apply the same protection without the automated service.

Admins should apply these mitigations immediately if automatic deployment is not available.

Limitations for Older or Unsupported Servers

Mitigations delivered through EEMS are intended for supported Exchange builds. Servers that are:

• outdated
• running unsupported versions
• unable to reach Microsoft mitigation endpoints

may not receive or apply the mitigation reliably.

Such systems should be treated as potentially exposed until they are upgraded, isolated, or otherwise protected.

No Confirmed Permanent Patch Yet

At the time of the public advisories cited here, Microsoft had released mitigations but not a permanent security update for CVE‑2026‑42897. Organizations should monitor official Microsoft security advisories and Exchange Team guidance for patch availability.

Why the Exchange Health Checker Script Is Critical Right Now

A key risk with mitigation‑based defenses is assuming they are active when they are not.

Microsoft recommends using the Exchange Health Checker script to verify mitigation status across servers. The script can quickly report:

• whether Exchange Emergency Mitigation Service is enabled
• whether mitigations such as M2.1.x are applied
• configuration issues preventing mitigations from downloading or activating

Running the tool across every Exchange server helps ensure the organization is actually protected rather than relying on assumed configuration.

Immediate Steps for Exchange Administrators

Organizations running on‑premises Exchange should prioritize:

• Verifying EEMS is enabled and functional
• Confirming the M2.1.x mitigation for CVE‑2026‑42897 is applied
• Running the Exchange Health Checker script on all servers
• Applying manual mitigation if automatic protection is unavailable
• Identifying unsupported or outdated servers that may not receive mitigations

Because the vulnerability is already under active exploitation, organizations with exposed Outlook on the web endpoints should treat mitigation verification as an urgent operational task.