← All articles

Microsoft Exchange OWA zero-day actively exploited via crafted email, no patch yet (CVE-2026-42897)

Just two days after a 138-fix Patch Tuesday that listed no zero-days, Microsoft disclosed CVE-2026-42897, an Exchange Server XSS-to-spoofing flaw it has tagged 'Exploitation Detected.' The bug is rated CVSS 8.1 and reported by an anonymous researcher. An unauthenticated attacker emails a crafted message; if the victim opens it in Outlook Web Access and meets certain interaction conditions, arbitrary JavaScript runs in the browser session context, enabling spoofing and session abuse. On-prem Exchange Server 2016, 2019, and Subscription Edition are affected; Exchange Online is not. No permanent patch exists yet, only mitigation through the Exchange Emergency Mitigation Service.

Check
Inventory all on-prem Exchange Server 2016, 2019, and Subscription Edition instances; check Exchange EM Service is enabled and the May 14 mitigation shows 'Applied'; review OWA web access logs for unusual JavaScript-triggering email opens and crafted-message indicators.
Affected
Microsoft Exchange Server 2016 CU23, Exchange Server 2019 CU14 and CU15, and Exchange Server Subscription Edition RTM. Exchange Online customers are not affected. Risk is highest for internet-facing OWA deployments.
Fix
Confirm Exchange Emergency Mitigation Service is enabled (default since Sep 2021) and 'Applied' for CVE-2026-42897. If disabled, run EOMT.ps1 with the CVE flag. Permanent updates are coming for SE RTM, 2016 CU23, and 2019 CU14/CU15.