ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-42897 Microsoft Exchange Server OWA Cross Site Scripting Vulnerability Actively Exploited in the Wild

A short review of CVE-2026-42897, an actively exploited cross site scripting vulnerability in Microsoft Exchange Server Outlook Web Access that enables spoofing and arbitrary JavaScript execution with no permanent patch currently available.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-14

Brief Summary: CVE-2026-42897 Microsoft Exchange Server OWA Cross Site Scripting Vulnerability Actively Exploited in the Wild
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An actively exploited cross site scripting vulnerability in Microsoft Exchange Server's Outlook Web Access is allowing attackers to execute arbitrary JavaScript in authenticated user sessions, and Microsoft has not yet released a permanent fix. With confirmed exploitation in the wild and only temporary mitigations available, this is a situation where on premises Exchange administrators need to act on incomplete remediation rather than wait for a clean patch.

Technical Information

CVE-2026-42897 is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and affects the Outlook Web Access (OWA) component of Microsoft Exchange Server. The root cause is a failure to properly sanitize input that gets rendered in web pages served by OWA, enabling cross site scripting.

Attack Flow

The exploitation path is straightforward:

  1. The attacker crafts a specially constructed email containing a malicious payload.
  2. The attacker sends this email to a targeted user whose organization runs an on premises Exchange Server.
  3. The recipient opens the malicious email within Outlook Web Access in their browser.
  4. Upon specific interaction conditions being met, the payload executes arbitrary JavaScript within the context of the victim's authenticated browser session.

Because the JavaScript executes within the victim's session context, the attacker gains the ability to access session data, perform actions on behalf of the user, and potentially exfiltrate sensitive information.

CVSS 3.1 Breakdown

The vulnerability carries a base score of 8.1. The individual metrics paint a clear picture of the risk profile:

MetricValueImplication
Attack VectorNetworkExploitable remotely across the internet
Attack ComplexityLowNo specialized conditions required; repeatable success expected
Privileges RequiredNoneNo prior authorization needed to initiate the attack
User InteractionRequiredVictim must open the crafted email in OWA
Confidentiality ImpactHighTotal loss of confidentiality for affected resources
Integrity ImpactHighMalicious modification of data is possible
Availability ImpactNoneNo disruption to service availability

The absence of any privilege requirement combined with low attack complexity and high impact on confidentiality and integrity makes this vulnerability particularly dangerous, even with the user interaction gate.

Affected Systems and Versions

Microsoft has confirmed that all update levels of the following on premises Exchange Server products are vulnerable:

ProductImpacted VersionsPermanent Update Available
Microsoft Exchange Server Subscription EditionAll update levels including RTMNo
Microsoft Exchange Server 2019All update levels including CU 14 and CU 15No
Microsoft Exchange Server 2016All update levels including CU 23No

Exchange Online (cloud hosted) is not listed as affected. The vulnerability is specific to on premises deployments, which represent approximately 16 percent of the global Exchange mailbox landscape as of late 2023.

Mitigation

No permanent security update is available. Microsoft did not release a security update for Exchange Server in May 2026. Organizations must apply temporary mitigations.

The fastest path to mitigation is the Exchange Emergency Mitigation Service (EM Service), which automatically applies a mitigation designated as M2. This mitigation uses an IIS URL Rewrite configuration to block specific patterns of malicious HTTP requests associated with this vulnerability.

The EM Service is enabled by default on Exchange Server 2016 and 2019 servers running the September 2021 Cumulative Update or later. Administrators should verify the mitigation has been applied by using PowerShell commands to check the applied mitigations list for the server. If the EM Service is disabled, Microsoft strongly recommends enabling it immediately.

Exchange On Premises Mitigation Tool (Air Gapped Environments)

For environments that cannot reach the cloud based EM Service, Microsoft provides the Exchange On Premises Mitigation Tool. Administrators can download the latest version of this script and execute it via an elevated Exchange Management Shell to apply the mitigation manually across one or more servers.

Known Side Effects

Applying the mitigation introduces functionality regressions in OWA that administrators should communicate to their users:

FeatureIssueWorkaround
OWA Print CalendarFails to work completelyCopy data, take screenshots, or use the Outlook Desktop client
Inline ImagesMay not display correctly in the OWA reading paneSend images as email attachments or use the Outlook Desktop client

Threat Intelligence

Microsoft has confirmed in its exploitability assessment that exploitation of CVE-2026-42897 has been detected in the wild. The vulnerability was not publicly disclosed prior to this active exploitation, meaning it was being leveraged as a zero day before Microsoft published its advisory on May 14, 2026.

As of this writing, CISA has not yet added CVE-2026-42897 to its Known Exploited Vulnerabilities catalog. Organizations should not treat the absence of a CISA KEV entry as an indication of low risk; the vendor itself has confirmed active exploitation.

No specific threat actor attribution or campaign details have been disclosed in the available security advisories.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization