Microsoft disclosed an actively exploited zero-day in on-premises Exchange Server on May 14, tracked as CVE-2026-42897 (CVSS 8.1). The flaw is a cross-site scripting (XSS) bug — “improper neutralization of input during web page generation” — that lets an unauthenticated attacker spoof content in Outlook Web Access (OWA) and run arbitrary JavaScript in a victim’s browser session. Microsoft tagged the advisory with its “Exploitation Detected” assessment and shipped no patch. A permanent fix is “in preparation”; until then, defenders are leaning on the Exchange Emergency Mitigation Service (EEMS).
What’s broken
The vulnerability lives in Exchange’s web rendering path. An attacker sends a specially crafted email; when the recipient opens it in OWA — and after meeting unspecified “certain interaction conditions” — the message body executes JavaScript in the OWA origin. From there, the attacker can spoof UI, exfiltrate session tokens, scrape mailbox contents via OWA APIs, or pivot to internal services that trust the user’s authenticated browser context. Microsoft credits an anonymous researcher and has not published technical details, IOCs, attribution, or victim counts. There is no public information on which threat actor cluster is exploiting it or the scale of the campaign.
Exchange Online tenants are not affected. The bug is exclusively in the on-prem rendering stack.
Affected versions
Every supported on-prem build is impacted at every patch level:
- Exchange Server 2016 (any CU/SU)
- Exchange Server 2019 (any CU/SU)
- Exchange Server Subscription Edition (any release)
If you are running on-prem Exchange in any form — even fully patched as of May 2026 Patch Tuesday — you are vulnerable.
Mitigation
There is no security update yet. Microsoft’s recommended path is the Exchange Emergency Mitigation Service (EEMS), which is enabled by default and pushes a URL rewrite mitigation automatically over the internet. If your Exchange boxes can reach officeclient.microsoft.com, EEMS has likely already applied the rule — verify by running Get-ExchangeServer | Get-ExchangeMitigation and confirming a CVE-2026-42897 entry shows Applied. Note Microsoft has acknowledged a cosmetic bug where the Description field reads “Mitigation invalid for this exchange version” even when the rule is correctly applied; trust the Applied status, not the description text.
Air-gapped or EEMS-disabled environments need to run the on-prem Mitigation Tool manually:
| |
Pull the latest EOMT from aka.ms/UnifiedEOMT before running — older EOMT releases will not know about this CVE. Run from an elevated Exchange Management Shell on each Mailbox server. Edge Transport servers do not need it.
Defense-in-depth steps worth doing now: disable OWA for users who don’t need it (Set-CASMailbox -OWAEnabled $false), tighten the OWA Content Security Policy via the existing OwaVirtualDirectory CSP knobs, and surface OWA-origin outbound requests to atypical destinations in your SIEM. The exploit fires inside the browser session, so endpoint EDR will not see it the way it sees a typical post-auth Exchange RCE.
Why this one matters
Exchange Server’s exploit history is brutal — ProxyLogon (2021), ProxyShell (2021), ProxyNotShell (2022), and the cluster of post-auth RCEs through 2025 — and operators know on-prem Exchange tends to be the slowest-patched edge surface in any enterprise. An unauthenticated, email-delivered XSS that reaches OWA without a click on a link is exactly the kind of primitive that gets weaponized into a credential-harvesting campaign within days. Spoofing-class CVSS scoring undersells what an attacker can do once they have JavaScript execution in the OWA origin against a mailbox they targeted: session theft, full mailbox access via OWA’s own APIs, and phishing pages rendered with a real Exchange certificate behind them.
If your EEMS service is disabled, off, or your Exchange servers cannot reach Microsoft’s mitigation endpoint, you are exposed right now and should run EOMT before the end of the day.