Active Exploitation of Exchange Server Zero-Day CVE-2026-42897 Prompts Urgent Mitigation Guidance from Microsoft

Executive Summary

Microsoft has disclosed a new zero-day vulnerability, CVE-2026-42897, affecting on-premises Microsoft Exchange Server installations. The vulnerability, a cross-site scripting (XSS) and spoofing flaw, is confirmed to be under active exploitation by unspecified threat actors. It impacts Exchange Server 2016, 2019, and Subscription Edition. Due to the lack of a security patch in the recent May 2026 Patch Tuesday cycle, Microsoft is urging administrators to apply immediate mitigations. The primary recommendation is to enable the Exchange Emergency Mitigation Service (EEMS), which can automatically apply interim fixes to protect against this and future threats. The vulnerability allows a remote, unauthenticated attacker to conduct spoofing attacks against Outlook Web Access (OWA), potentially leading to credential theft or further social engineering.

Vulnerability Details

CVE-2026-42897 is an improper neutralization of input during web page generation, commonly known as a cross-site scripting (XSS) vulnerability. This flaw resides in the Outlook Web Access (OWA) component of on-premises Exchange Servers.

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: Required

An unauthenticated attacker can send a specially crafted request to a vulnerable Exchange server. If a user interacts with the malicious link or content generated by the attacker, the XSS payload will execute in the context of the user's browser session. This can be leveraged for spoofing attacks, where the attacker makes malicious content appear to originate from a legitimate source, or to steal the user's session cookies, potentially granting the attacker unauthorized access to the user's mailbox and other resources.

Affected Systems

• Microsoft Exchange Server 2016 (all Cumulative Updates)
• Microsoft Exchange Server 2019 (all Cumulative Updates)
• Microsoft Exchange Server Subscription Edition

Important Note: Exchange Online is not affected by this vulnerability.

Exploitation Status

Microsoft has confirmed that CVE-2026-42897 is being actively exploited in the wild. The details of the threat actors and the scale of the attacks have not been disclosed. However, the confirmation of in-the-wild exploitation elevates the urgency for all organizations running on-premises Exchange servers to take immediate action. As of the initial report, the vulnerability had not yet been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, but its status as an actively exploited Exchange zero-day makes its inclusion likely.

Impact Assessment

Successful exploitation of this vulnerability can lead to significant security incidents. While categorized as a "spoofing" flaw, the underlying XSS can have severe consequences:

• Credential Theft: Attackers can inject fake login forms into the OWA interface to capture user credentials.
• Session Hijacking: Malicious scripts can steal session cookies, allowing attackers to hijack active user sessions and gain full access to the victim's mailbox without needing a password.
• Phishing and Social Engineering: Attackers can manipulate OWA content to launch highly convincing internal phishing campaigns, directing users to malicious sites or to download malware.
• Data Exfiltration: Once a mailbox is compromised, attackers can exfiltrate sensitive emails and attachments.

Given that Exchange servers are a high-value target, a compromise can serve as an initial access vector for broader network intrusions, including ransomware deployment.

IOCs — Directly from Articles

No specific Indicators of Compromise (IPs, domains, hashes) were mentioned in the source articles.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns which could indicate exploitation attempts against CVE-2026-42897:

Detection & Response

• Enable EEMS: The most effective immediate action is to enable the Exchange Emergency Mitigation Service (EEMS). This service checks for and applies Microsoft-provided mitigations automatically.
• Monitor IIS Logs: Actively monitor IIS logs on Exchange CAS servers for requests to OWA that contain suspicious strings like <script>, eval(, document.cookie, or other JavaScript code fragments. Use SIEM rules to alert on these patterns. A D3FEND technique for this is Web Session Activity Analysis.
• Endpoint Detection and Response (EDR): Ensure EDR solutions are deployed on Exchange servers and are monitoring the w3wp.exe process for anomalous behavior, such as spawning cmd.exe or powershell.exe.
• Network Security Monitoring: Inspect traffic to and from Exchange servers for unusual patterns. Pay close attention to traffic involving the OWA interface.

Mitigation

Until a permanent security update is available, organizations should prioritize the following actions:

1. Enable Exchange Emergency Mitigation Service (EEMS): This is Microsoft's primary recommendation. EEMS is a built-in feature of the Exchange Server 2016/2019 CU10+ setup that automatically applies critical mitigations. This aligns with the D3FEND countermeasure of Software Update in principle, applying a vendor-supplied fix.
2. Manual Mitigation: If EEMS cannot be enabled, administrators can manually apply the URL Rewrite rule mitigation provided by Microsoft. This involves creating a rule to block known malicious request patterns.
3. Restrict Access to OWA: Limit external access to OWA to only trusted IP addresses or require access through a VPN with Multi-factor Authentication (MFA).
4. Patching Preparedness: Prepare for the deployment of a security update as soon as Microsoft releases it. Given the active exploitation, the patch should be treated as an emergency change.