Introduction
An actively exploited cross site scripting vulnerability in Microsoft Exchange Server's Outlook Web Access is allowing attackers to execute arbitrary JavaScript in authenticated user sessions, and Microsoft has not yet released a permanent fix. With confirmed exploitation in the wild and only temporary mitigations available, this is a situation where on premises Exchange administrators need to act on incomplete remediation rather than wait for a clean patch.
Technical Information
CVE-2026-42897 is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and affects the Outlook Web Access (OWA) component of Microsoft Exchange Server. The root cause is a failure to properly sanitize input that gets rendered in web pages served by OWA, enabling cross site scripting.
Attack Flow
The exploitation path is straightforward:
- The attacker crafts a specially constructed email containing a malicious payload.
- The attacker sends this email to a targeted user whose organization runs an on premises Exchange Server.
- The recipient opens the malicious email within Outlook Web Access in their browser.
- Upon specific interaction conditions being met, the payload executes arbitrary JavaScript within the context of the victim's authenticated browser session.
Because the JavaScript executes within the victim's session context, the attacker gains the ability to access session data, perform actions on behalf of the user, and potentially exfiltrate sensitive information.
CVSS 3.1 Breakdown
The vulnerability carries a base score of 8.1. The individual metrics paint a clear picture of the risk profile:
| Metric | Value | Implication |
|---|---|---|
| Attack Vector | Network | Exploitable remotely across the internet |
| Attack Complexity | Low | No specialized conditions required; repeatable success expected |
| Privileges Required | None | No prior authorization needed to initiate the attack |
| User Interaction | Required | Victim must open the crafted email in OWA |
| Confidentiality Impact | High | Total loss of confidentiality for affected resources |
| Integrity Impact | High | Malicious modification of data is possible |
| Availability Impact | None | No disruption to service availability |
The absence of any privilege requirement combined with low attack complexity and high impact on confidentiality and integrity makes this vulnerability particularly dangerous, even with the user interaction gate.
Affected Systems and Versions
Microsoft has confirmed that all update levels of the following on premises Exchange Server products are vulnerable:
| Product | Impacted Versions | Permanent Update Available |
|---|---|---|
| Microsoft Exchange Server Subscription Edition | All update levels including RTM | No |
| Microsoft Exchange Server 2019 | All update levels including CU 14 and CU 15 | No |
| Microsoft Exchange Server 2016 | All update levels including CU 23 | No |
Exchange Online (cloud hosted) is not listed as affected. The vulnerability is specific to on premises deployments, which represent approximately 16 percent of the global Exchange mailbox landscape as of late 2023.
Mitigation
No permanent security update is available. Microsoft did not release a security update for Exchange Server in May 2026. Organizations must apply temporary mitigations.
Exchange Emergency Mitigation Service (Recommended)
The fastest path to mitigation is the Exchange Emergency Mitigation Service (EM Service), which automatically applies a mitigation designated as M2. This mitigation uses an IIS URL Rewrite configuration to block specific patterns of malicious HTTP requests associated with this vulnerability.
The EM Service is enabled by default on Exchange Server 2016 and 2019 servers running the September 2021 Cumulative Update or later. Administrators should verify the mitigation has been applied by using PowerShell commands to check the applied mitigations list for the server. If the EM Service is disabled, Microsoft strongly recommends enabling it immediately.
Exchange On Premises Mitigation Tool (Air Gapped Environments)
For environments that cannot reach the cloud based EM Service, Microsoft provides the Exchange On Premises Mitigation Tool. Administrators can download the latest version of this script and execute it via an elevated Exchange Management Shell to apply the mitigation manually across one or more servers.
Known Side Effects
Applying the mitigation introduces functionality regressions in OWA that administrators should communicate to their users:
| Feature | Issue | Workaround |
|---|---|---|
| OWA Print Calendar | Fails to work completely | Copy data, take screenshots, or use the Outlook Desktop client |
| Inline Images | May not display correctly in the OWA reading pane | Send images as email attachments or use the Outlook Desktop client |
Threat Intelligence
Microsoft has confirmed in its exploitability assessment that exploitation of CVE-2026-42897 has been detected in the wild. The vulnerability was not publicly disclosed prior to this active exploitation, meaning it was being leveraged as a zero day before Microsoft published its advisory on May 14, 2026.
As of this writing, CISA has not yet added CVE-2026-42897 to its Known Exploited Vulnerabilities catalog. Organizations should not treat the absence of a CISA KEV entry as an indication of low risk; the vendor itself has confirmed active exploitation.
No specific threat actor attribution or campaign details have been disclosed in the available security advisories.
References
- Microsoft Security Response Center: CVE-2026-42897
- NVD Entry: CVE-2026-42897
- Addressing Exchange Server May 2026 vulnerability CVE-2026-42897 (Microsoft Community Hub)
- No Exchange Server Security Updates for May 2026 (Microsoft Community Hub)
- Exchange Emergency Mitigation Service Documentation (Microsoft Learn)
- CISA Known Exploited Vulnerabilities Catalog
- How Will Enterprises Handle Changes in Exchange Server SE (TechTarget)



