Skip to main content
  1. Active Vulnerability List/
  2. 2026/

CVE-2026-42897 | Exchange | XSS

FieldDetails
VulnerabilityCVE-2026-42897
Affected ProductMicrosoft Exchange Server (on-premises only): Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE). Per Microsoft’s advisory and the Exchange Team blog of May 14, 2026, Exchange Online is not affected.
TypeCross-Site Scripting (XSS) / Spoofing. Microsoft classifies the impact as spoofing over a network, with the underlying weakness being improper neutralization of input during web page generation in Outlook Web Access (OWA).
CWECWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), as assigned by Microsoft Corporation (CNA) and recorded in NVD.
DescriptionPer Microsoft’s advisory: “Improper neutralization of input during web page generation (‘cross-site scripting’) in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.” The flaw resides in the Outlook Web Access (OWA) rendering path of on-premises Exchange. An attacker sends a specially crafted email; when the recipient opens it in OWA and certain interaction conditions are met, arbitrary JavaScript executes in the victim’s browser session, enabling session abuse without ever touching the Exchange server itself. Disclosed as a zero-day on May 14, 2026 with active exploitation confirmed by Microsoft at disclosure.
SeverityCVSS v3.1: 8.1 HIGH (CNA: Microsoft Corporation), vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N as recorded in NVD. CVSS v4.0: NVD assessment not yet provided at time of writing (NVD record state is “Undergoing Enrichment”).
Root CauseImproper neutralization of attacker-controlled input during OWA web page generation. Microsoft has not publicly named the specific vulnerable component, function, or input parameter. No PoC code has been published, and Microsoft has not released packet-level or forensic detail on the exact rendering path being abused. Vulnerable function not publicly disclosed at time of writing.
Attack VectorNetwork (AV:N). Delivery is through the corporate mail flow — the attacker sends an email; no prior server access, credential theft, or network foothold is required to deliver the payload. Exploitation triggers when the victim renders the message in OWA in a browser.
Privileges RequiredNone (PR:N) for the attacker. The attacker requires no authentication, no account on the target Exchange organization, and no prior access. The payload executes in the authenticated browser session of the victim, inheriting that user’s OWA privileges.
User InteractionRequired (UI:R). The victim must open the crafted email in OWA. Microsoft’s advisory states “certain interaction conditions are met” without elaborating publicly on what those conditions are. Exact interaction trigger not publicly disclosed.
ImpactSuccessful exploitation results in arbitrary JavaScript execution in the victim’s authenticated OWA browser session. Confirmed downstream impacts cited by Microsoft, CISA, and multiple security vendors include session token theft, mailbox impersonation, email rule manipulation, credential theft, and lateral movement inside the enterprise. No server-side code execution has been reported — the bug stays in the browser context.
Why the Bug MattersOWA is the primary browser-based mail interface for many enterprises, and Exchange Server has a history of mass exploitation (ProxyLogon, ProxyShell). This bug is unusual because the exploit path does not begin with a server takeover — it begins in an inbox. That changes the defender posture: perimeter-only thinking misses it. The attack also requires no credentials of the attacker and no chaining with another bug, which makes large-scale opportunistic exploitation viable. Microsoft confirmed in-the-wild exploitation simultaneously with disclosure — classic zero-day pattern with no patch lead time.
Execution Flow1. Attacker prepares an email containing specially crafted HTML/JavaScript content designed to bypass OWA’s input neutralization. 2. Email is delivered to the victim’s mailbox through normal mail flow — no prior access to the Exchange server is required. 3. Victim opens the message in OWA in a web browser. 4. Under certain interaction conditions (not publicly specified by Microsoft), the rendering path executes attacker-controlled JavaScript in the victim’s authenticated OWA session. 5. The script operates inside the victim’s session context — capable of stealing session tokens, issuing OWA API calls as the victim, modifying inbox rules, or exfiltrating mail content to attacker-controlled infrastructure.
Threat Model / Abuse Scenarios- Opportunistic spam-style campaigns targeting any internet-exposed on-premises Exchange OWA portal
- Targeted spear-phishing of executives or admins whose OWA sessions hold high-value mailbox access
- Insider-adjacent abuse where any mail-sending capability (compromised supplier, business email compromise) can be used to deliver the payload internally
- Persistent mail rule plants for long-term mailbox exfiltration after a single successful render
- Pivot to credential theft via injected fake OWA login prompts inside the legitimate OWA browser context
Detection OpportunitiesPer CyCognito, Senthorus, and Apolo Cybersecurity writeups, defenders should monitor:
- OWA access and IIS logs for anomalous request patterns associated with mail rendering
- Exchange transport logs for inbound messages with unusual HTML structures, oversized HTML bodies, or known XSS payload signatures
- EEMS / EOMT mitigation application status via Exchange Health Checker reports
- Mailbox audit logs for unexpected inbox rule creation, mailbox forwarding rule changes, and mass mail-send actions tied to user accounts that have recently opened external mail in OWA
- OWA session token reuse from geographically or IP-anomalous sources
- Inferred from bug mechanics: web proxy / CASB telemetry for outbound HTTP from the OWA browser context to non-Microsoft destinations shortly after a mail render event
High-Value Detection Clues- EEMS mitigation status check failing or showing “Mitigation invalid for this exchange version” in Exchange Health Checker (per Microsoft Tech Community, this status is cosmetic and the mitigation still applies if “Applied” is shown — investigate true non-application)
- New inbox forwarding rules created by an account immediately after opening external mail in OWA
- Authenticated OWA session activity from a new IP/ASN within minutes of mail render
- Anomalous EWS or Graph-like API call patterns from the user context, especially mass GetItem/FindItem operations
- Inferred from bug mechanics: inbound emails with embedded <script> tags surviving Exchange transport filtering, or HTML bodies containing event handlers (onload, onerror, onmouseover) on permissive tags
Example Hunt Ideas- In transport/journaling logs: hunt for inbound messages where the HTML body length is anomalously high or contains script-like substrings (<script, javascript:, srcdoc=, data:text/html)
- In mailbox audit logs (Unified Audit Log on hybrid, on-prem audit on standalone): correlate New-InboxRule, Set-InboxRule, UpdateInboxRules events with the MailItemsAccessed events for the same user within a short window
- In IIS logs for OWA: hunt for unusual referer chains, session cookies appearing from multiple source IPs in a short window, or POSTs to OWA endpoints not normally invoked by the user
- In EDR telemetry: hunt for browser processes (msedge.exe, chrome.exe, firefox.exe) making outbound connections to non-Microsoft hosts in close temporal proximity to OWA navigation events
- Inferred: in email gateway logs, hunt for messages whose rendered DOM differs significantly from their plaintext body — a hallmark of obfuscated XSS payload delivery
MitigationNo permanent code patch was available at time of writing. Microsoft is shipping automatic mitigation through the Exchange Emergency Mitigation Service (EEMS) under mitigation ID M2.1.x, applicable to Exchange Server 2016, 2019, and SE. EEMS deploys a URL rewrite rule that blocks the specific request pattern abused by the exploit. EEMS is enabled by default on supported Exchange builds released since the March 2023 cumulative update; organizations on older builds must update Exchange first. For air-gapped or EEMS-disabled environments, Microsoft provides the Exchange On-Premises Mitigation Tool (EOMT) PowerShell script, invoked from an elevated Exchange Management Shell as .\EOMT.ps1 -CVE "CVE-2026-42897" (per Apolo Cybersecurity / Microsoft guidance). Verification is available via the Exchange Health Checker (aka.ms/ExchangeHealthChecker), whose HTML report includes an EEMS check section. Known mitigation side effects documented by Microsoft on May 18, 2026: OWA Print Calendar feature stops working, and inline images may not display correctly in OWA reading panes.
Solution StatusPermanent patch not yet released at time of writing. Per the Microsoft Exchange Team blog of May 14, 2026, security updates are planned for Exchange SE RTM (publicly available), Exchange Server 2016 CU23, Exchange Server 2019 CU14, and Exchange Server 2019 CU15 — however, the 2016 and 2019 updates will only be delivered to customers enrolled in the Period 2 Exchange Server Extended Security Update (ESU) program. Period 1-only ESU customers will not receive this update, as that program ended in April 2026. Microsoft has not published a patch release date.
MITRE ATT&CK MappingATT&CK mapping not publicly established by Microsoft or CISA at time of writing. Inferred from bug mechanics: T1566 Phishing (delivery via crafted email), T1059.007 Command and Scripting Interpreter: JavaScript (payload execution in OWA browser context), T1539 Steal Web Session Cookie (likely post-exploitation objective given the in-browser session abuse described by Microsoft and CISA), and T1114 Email Collection with T1114.003 Email Forwarding Rule for persistence via inbox rules.
Limitations / Constraints- Not a remote code execution on the Exchange server. Code executes in the victim’s browser, not on the server host.
- Requires user interaction. The victim must open the crafted email in OWA; users who never touch OWA (Outlook desktop client only, ActiveSync only) are not exposed via this vector.
- Only on-premises Exchange is affected. Exchange Online tenants are not impacted.
- Exact interaction trigger is not public, which limits the precision of detection rules built without controlled testing.
- No public PoC code exists at time of writing, so detection rule authoring relies on vendor guidance, mitigation rewrite patterns, and reasoning from bug class rather than reproducible exploit traffic.
References- https://nvd.nist.gov/vuln/detail/CVE-2026-42897
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897
- https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498
- https://www.cisa.gov/news-events/alerts/2026/05/15/cisa-adds-one-known-exploited-vulnerability-catalog
- https://www.helpnetsecurity.com/2026/05/15/exchange-server-cve-2026-42897-exploited/
- https://thehackernews.com/2026/05/on-prem-microsoft-exchange-server-cve.html
- https://www.securityweek.com/microsoft-warns-of-exchange-server-zero-day-exploited-in-the-wild/
- https://socprime.com/blog/cve-2026-42897-analysis/
- https://blog.senthorus.ch/posts/cve_2026_42897/
- https://www.cycognito.com/blog/emerging-threat-cve-2026-42897-microsoft-exchange-owa-cross-site-scripting-via-crafted-email/
- https://www.apolocybersecurity.com/en/blog-posts/microsoft-exchange-owa-zero-day-cve-2026-42897-mitigation-eems
- https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-emergency-mitigation-service