Microsoft Confirms Active Exploitation of Critical Spoofing Zero-Day (CVE-2026-42897) in Exchange Server
Microsoft Scrambles to Mitigate Actively Exploited Exchange Server Zero-Day
Related Entities(initial)
Products & Tech
CVE Identifiers
Full Report(when first published)
Executive Summary
A critical zero-day spoofing vulnerability, CVE-2026-42897, affecting on-premises Microsoft Exchange Server installations is under active exploitation. The flaw is a Cross-Site Scripting (XSS) vulnerability within Outlook Web Access (OWA) that allows an unauthenticated attacker to execute arbitrary JavaScript in the victim's browser by tricking them into opening a specially crafted email. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) Catalog, underscoring the urgency of the threat. Microsoft has acknowledged the exploitation and released mitigation guidance while working on a permanent security patch. Exchange Online customers are not affected.
Vulnerability Details
The vulnerability, CVE-2026-42897, is classified as a spoofing flaw but is technically a stored Cross-Site Scripting (XSS) vulnerability. It stems from improper neutralization of input during web page generation within the Outlook Web Access (OWA) component.
The attack chain is straightforward but effective:
- Delivery: An attacker sends a specially crafted email containing a malicious JavaScript payload to a target user.
- Execution: When the user accesses their mailbox via OWA and opens or views the malicious email, the embedded script executes within the context of the user's OWA session.
- Impact: This execution grants the attacker control over the user's OWA session, potentially allowing them to steal session cookies, read emails, send emails on the user's behalf, or pivot to other enterprise systems accessible via the compromised identity.
Because the script runs in the user's browser, it inherits the permissions and access of that user's authenticated session, making it a powerful tool for corporate espionage and internal reconnaissance.
Affected Systems
The vulnerability impacts the following on-premises Microsoft Exchange Server versions:
- Microsoft Exchange Server 2016 (all cumulative updates)
- Microsoft Exchange Server 2019 (all cumulative updates)
- Microsoft Exchange Server Subscription Edition (SE) (all cumulative updates)
Important: Microsoft Exchange Online is not affected by this vulnerability.
Exploitation Status
Microsoft has confirmed that CVE-2026-42897 is being actively exploited in limited, targeted attacks. On May 15, 2026, CISA added the vulnerability to its KEV catalog, indicating verified exploitation in the wild and requiring U.S. federal agencies to apply Microsoft's mitigations by a specified deadline. The public disclosure of a zero-day that was not fixed in the scheduled Patch Tuesday update suggests the exploitation was discovered very recently, forcing an out-of-band response.
Impact Assessment
The business impact of this vulnerability is high, particularly for organizations that rely heavily on on-premises Exchange and OWA for remote access. Successful exploitation can lead to:
- Compromise of Sensitive Communications: Attackers can access and exfiltrate confidential email data, including trade secrets, financial information, and PII.
- Identity Theft and Impersonation: By stealing session tokens, attackers can impersonate the victim, send phishing emails to other employees, and access other federated services that use the same identity provider.
- Lateral Movement: The compromised account can serve as a beachhead for further attacks within the corporate network, escalating a simple email-based attack into a full-blown network compromise.
- Regulatory and Reputational Damage: A breach of email systems can trigger regulatory fines (e.g., under GDPR) and severely damage an organization's reputation.
Cyber Observables — Hunting Hints
The following patterns could indicate related activity and may be useful for threat hunting:
url_pattern/owa/string_pattern<script>, onerror=, onload=, eval()network_traffic_patternOutbound connections from OWA servers to non-standard IPslog_sourceExchange IIS LogsDetection & Response
Security teams should focus on analyzing web logs from their Exchange servers and monitoring for signs of post-exploitation activity.
Detection Strategies
- SIEM/Log Analysis: Ingest Exchange IIS logs (
%SystemDrive%\inetpub\logs\LogFiles\W3SVC1) into your SIEM. Create detection rules to alert on requests to OWA containing suspicious strings like<script>,alert(),javascript:, or obfuscated variations. D3FEND's URL Analysis (D3-UA) is a key technique here. - Network Traffic Analysis: Monitor network traffic from the OWA front-end servers. Look for unusual outbound connections, which could indicate a compromised session beaconing out to an attacker's C2 server. This aligns with Network Traffic Analysis (D3-NTA).
- Endpoint Detection and Response (EDR): While the initial exploit is on the server-side, post-exploitation activity may occur on the user's endpoint. Monitor for suspicious browser processes or child processes spawned by the browser, which could indicate a successful compromise.
Response
If exploitation is suspected:
- Immediately apply Microsoft's mitigations.
- Isolate the affected user account and force a password reset and session termination.
- Review the user's email activity for signs of unauthorized access or data exfiltration.
- Preserve IIS logs and other relevant forensic data for investigation.
Mitigation
As a permanent patch is not yet available, organizations must implement Microsoft's provided mitigations immediately.
Immediate Actions
- Apply Mitigations: Follow Microsoft's official guidance for mitigating CVE-2026-42897. This may involve running scripts or applying URL Rewrite rules to block the malicious patterns. This is a form of Application Configuration Hardening (D3-ACH).
- Restrict OWA Access: If feasible, limit access to OWA to trusted IP ranges or require VPN access. This reduces the attack surface available to external threat actors.
Strategic Recommendations
- Patch Management: Prepare to deploy the official security patch from Microsoft as soon as it is released. Prioritize patching internet-facing Exchange servers.
- Reduce Attack Surface: Consider disabling OWA for users who do not require it. Encourage the use of the desktop Outlook client, which is not vulnerable to this specific attack vector.
- MFA on OWA: Enforce multi-factor authentication for all OWA access. While this may not prevent the XSS from executing, it can prevent attackers from using stolen credentials or session tokens to log in from a different location.
Timeline of Events
Article Updates
May 20, 2026
New CVSS scores (8.1/6.1) and expanded detection/hunting methods provided for the actively exploited Exchange zero-day, CVE-2026-42897, with further impact details.
Update Sources:
MITRE ATT&CK Mitigations
Update Software
The primary long-term mitigation is to apply the security patch from Microsoft as soon as it becomes available.
Mapped D3FEND Techniques:
Restrict Web-Based Content
Use a Web Application Firewall (WAF) or the provided URL Rewrite rules to filter and block malicious requests containing XSS payloads before they reach the Exchange server.
Reduce the attack surface by restricting network access to OWA to only trusted IP ranges or requiring VPN access.
Mapped D3FEND Techniques:
Multi-factor Authentication
Enforce MFA on OWA to prevent attackers from using stolen session tokens or credentials from untrusted locations.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
In the absence of a patch for CVE-2026-42897, immediate application configuration hardening is the most critical defensive measure. Organizations must implement the specific mitigation steps provided by Microsoft. This typically involves applying URL Rewrite rules within IIS on the Exchange front-end servers. These rules act as a virtual patch by inspecting incoming requests to OWA and blocking those that match known malicious patterns associated with this XSS attack. Security teams should deploy these rules to all internet-facing Exchange 2016, 2019, and SE servers. It is crucial to test the rules in a non-production environment first to ensure they do not disrupt legitimate user traffic. After deployment, monitor IIS and URL Rewrite logs to verify that the rules are working and to detect any ongoing exploitation attempts. This technique directly hardens the OWA application against the specific attack vector, providing a crucial stopgap until a permanent software update is available.
To detect potential post-exploitation activity from a compromised OWA session, security teams should implement robust Network Traffic Analysis (NTA). Focus monitoring on egress traffic originating from the Exchange OWA front-end servers. A compromised session could be used to exfiltrate data or establish a C2 channel. Establish a baseline of normal outbound traffic from these servers; they should typically have very limited, predictable outbound communication. Configure alerts for any anomalous connections, such as traffic to unusual IP addresses, non-standard ports, or known malicious domains. Pay close attention to the volume and patterns of data transfer. A sudden spike in outbound data from an OWA server could indicate data exfiltration. Using NetFlow, Zeek, or a full packet capture solution can provide the necessary visibility to detect these subtle indicators of compromise, allowing for a rapid response before an attacker can pivot deeper into the network.
URL Analysis is a primary detection method for identifying attempts to exploit CVE-2026-42897. Security teams should configure their SIEM, WAF, or other log analysis platforms to scrutinize the query strings and POST bodies of all requests sent to /owa/ paths. Detections should be built to flag the presence of HTML tags, JavaScript keywords, and special characters commonly used in XSS attacks. Specifically, look for patterns like <script>, onerror=, onload=, javascript:, eval(), and URL-encoded or hexadecimal representations of these strings. Since attackers will likely obfuscate their payloads, detection logic should be flexible enough to identify partial matches and suspicious character combinations. This analysis should be performed in near real-time to enable rapid alerting. This technique helps identify not only successful exploitation but also the reconnaissance and failed attempts, providing valuable threat intelligence on who is targeting the organization.
Timeline of Events
Microsoft discloses the zero-day vulnerability CVE-2026-42897, two days after the scheduled Patch Tuesday.
CISA adds CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) Catalog.
Microsoft provides temporary mitigation steps for affected organizations.
Sources & References(when first published)
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.