A critical cross-site scripting vulnerability in on-premises Exchange Server is being actively exploited, forcing Microsoft to issue emergency mitigations while a permanent patch remains in development.
Microsoft has confirmed that attackers are actively exploiting a zero-day vulnerability, identified as CVE-2026-42897, targeting on-premises Exchange Server installations. This flaw allows for arbitrary JavaScript execution within a user's browser session when a specifically crafted email is opened via Outlook Web Access (OWA). Because this is a zero-day, attackers began using the exploit before a formal security patch was available, prompting an emergency response from both Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA).
The Technical Breakdown: How the Exploit Works
CVE-2026-42897 is a cross-site scripting (XSS) vulnerability rated with a CVSS score of 8.1. The root cause lies in improper input neutralization during the generation of web pages within the OWA component. When the Exchange Server processes certain data to render a web page, it fails to properly sanitize the input, allowing malicious code to be injected into the page structure.
An attacker does not need server access or even authenticated credentials to begin this attack. The entry point is a simple, malicious email sent to a target's inbox. If a recipient opens this email using the OWA interface under specific interaction conditions, the injected JavaScript executes within the context of the victim's browser session. This can lead to session hijacking, credential theft, or further lateral movement within a corporate network.
It is important to distinguish between environments: Exchange Online (the cloud-based version) is not affected by this flaw. The risk is concentrated entirely on on-premises deployments, which include Exchange Server 2016, Exchange Server 2019, and the Exchange Server Subscription Edition.
Immediate Mitigation and Implementation
Since a permanent patch is not yet ready, Microsoft has deployed an emergency mitigation through the Exchange Emergency Mitigation Service (EEMS)$ .
For most servers, the EEMS applies a mitigation labeled M2.1.x automatically via URL rewrite configurations on Exchange Mailbox servers. However, administrators in air-gapped or disconnected environments cannot rely on automatic updates. In these cases, IT teams must manually download the Exchange On-premises Mitigation Tool and execute it through an elevated Exchange Management Shell.
Administrators should use the Exchange Health Checker script to verify whether the mitigation has been successfully applied. Note that a known cosmetic bug exists where the status might display as "Mitigation invalid for this exchange version." If the status column reads "Applied," the mitigation is functioning correctly despite the misleading text.
Functional Trade-offs and Side Effects
Applying this emergency mitigation is not without consequences. Because the fix relies on URL rewriting to neutralize malicious inputs, it interferes with certain web-based functionalities in OWA. Administrators should prepare users for the following changes:
- OWA Print Calendar: This feature will cease to function.
- Inline Images: Images within the recipient's reading pane may no longer display correctly.
- OWA Light: The legacy "Light" interface (accessed via the
/?layout=lightURL) will stop working. While Microsoft deprecated this interface years ago, organizations still relying on it must transition users to the standard OWA URL.
Looking Ahead: The Patching Gap
The timeline for a permanent fix remains unconfirmed. The path to resolution differs based on the version of Exchange being used. The Exchange Server Subscription Edition will receive the permanent update through standard channels. However, users of Exchange Server 2016 and 2019 are in a more precarious position; they will only receive the permanent patch through Microsoft's Period 2 Extended Security Update (ESU) program. Organizations without an active ESU enrollment will remain reliant on the manual emergency mitigation until they upgrade their infrastructure.
CISA has added this flaw to its Known Exploited Vulnerabilities catalog, mandating that Federal Civilian Executive Branch agencies remediate the issue by May 29. For private enterprises, the priority remains verifying the EEMS status and ensuring manual mitigations are applied to all disconnected nodes to prevent ransomware groups from leveraging this entry point.
Comments
Please log in or register to join the discussion