The vulnerability is caused by improper neutralization of input during web page generation, a weakness commonly known as cross-site scripting, or XSS. In this case, the vulnerable component is tied to Outlook Web Access, the browser-based interface used to access Exchange mailboxes. If successfully exploited, the flaw can allow attacker-controlled JavaScript to run in the victim's browser session.
How the attack works
An attacker can exploit CVE-2026-42897 by sending a specially crafted email to a targeted user. If the user opens that email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can execute in the browser context. This means the attack depends on user interaction, but it does not require the attacker to already have valid Exchange credentials.
This is not the same as direct remote code execution on the Exchange server itself. The more immediate risk is that malicious script runs inside a trusted OWA session, which may allow spoofing, manipulation of displayed content, access to sensitive information available to the browser session, or other actions depending on the user's privileges and the browser/session context.
Affected systems
CVE-2026-42897 affects on-premises Microsoft Exchange Server deployments, including:
| Product | Affected version |
|---|---|
| Microsoft Exchange Server 2016 | Cumulative Update 23 |
| Microsoft Exchange Server 2019 | Cumulative Updates 14 and 15 |
| Microsoft Exchange Server Subscription Edition | RTM |
Exchange Online is reported as not affected. Organizations using older cumulative updates should update to supported versions because Microsoft's future security update is expected to target supported Exchange builds.
Severity and CVSS score difference
There is a notable scoring difference between NVD and Microsoft.
| Source | Score | Severity | Vector |
|---|---|---|---|
| NVD | 6.1 | Medium | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| Microsoft CNA | 8.1 | High | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
The key difference is impact. NVD rates confidentiality and integrity impact as Low, while Microsoft rates both as High. Microsoft also uses unchanged scope, while NVD uses changed scope. Since Microsoft is the vendor and CNA for the vulnerability, security teams should treat the Microsoft score as the more operationally important risk signal.
Why this vulnerability matters
Exchange Server is a high-value target because it sits at the center of business email, authentication workflows, attachments, calendars, and internal communications. Even though this flaw is classified as XSS/spoofing rather than server-side code execution, exploitation through OWA can still be serious because it occurs inside a trusted browser session.
The risk increases when OWA is exposed to the internet, which is common in many on-prem Exchange environments. A crafted email can give attackers a realistic delivery path, and exploitation may blend into normal user activity unless defenders are actively monitoring for suspicious messages, unusual OWA behavior, or abnormal mailbox actions.
Current exploitation status
CVE-2026-42897 has been added to CISA's Known Exploited Vulnerabilities catalog, with a due date of May 29, 2026 for required action by covered U.S. federal agencies. NVD also reflects that KEV listing.
Microsoft has not publicly disclosed detailed attack indicators in the sources available so far, but the "exploitation detected" status should be treated as a clear signal to prioritize mitigation.
Mitigation and remediation
Microsoft is working on a permanent security update. Until that update is available, administrators should apply Microsoft's temporary mitigation immediately.
For organizations with the Exchange Emergency Mitigation Service enabled, the mitigation is applied automatically. This service is enabled by default on supported Exchange servers, but administrators should still verify that it is running and that the CVE-2026-42897 mitigation has been applied. For environments where automatic mitigation is not available, such as restricted or air-gapped networks, Microsoft provides the Exchange On-premises Mitigation Tool. Public guidance says the mitigation can be applied using the EOMT script for CVE-2026-42897.
Example command:
powershell.\EOMT.ps1 -CVE "CVE-2026-42897"Security teams should also review whether OWA must be exposed externally. Where possible, restrict OWA access behind VPN, conditional access, reverse proxy protections, or other access controls until the permanent update is deployed.
Recommended actions for administrators
Administrators should first identify all on-premises Exchange servers, confirm whether they are running supported cumulative updates, and verify whether Exchange Emergency Mitigation Service is enabled. If mitigation has not been applied automatically, apply Microsoft's manual mitigation immediately.
They should also monitor for suspicious emails designed to trigger OWA behavior, review OWA access logs, watch for abnormal mailbox activity, and prepare to deploy Microsoft's permanent update as soon as it becomes available. Organizations still running unsupported Exchange builds should prioritize upgrading because future fixes may not be available for outdated versions.
Conclusion
CVE-2026-42897 is an actively exploited Microsoft Exchange Server vulnerability affecting Outlook Web Access in on-premises environments. Although the bug is rooted in cross-site scripting, the operational impact is significant because Exchange is a sensitive enterprise system and the attack can be delivered through crafted email. Organizations running affected Exchange Server versions should verify mitigation status immediately, reduce OWA exposure where possible, and prepare to install Microsoft's final security update once released.
Sources