Microsoft has shipped a fix for CVE-2026-42897, a high-severity Exchange Server flaw that let attackers run arbitrary JavaScript in Outlook Web Access through a malicious email. With CISA already flagging it as exploited in the wild, admins are being told to patch now and keep the emergency mitigations running.
Microsoft has patched an Exchange Server vulnerability that attackers were already using in the wild, closing a hole that allowed arbitrary JavaScript to run in the browsers of Outlook Web Access (OWA) users. The flaw, tracked as CVE-2026-42897, is a high-severity spoofing and cross-site scripting (XSS) issue that affects Exchange Server 2016, Exchange Server 2019, and the newer Exchange Server Subscription Edition (SE).
What makes this one worth your immediate attention is the combination of low barrier and high reach. A remote attacker needs no privileges and no foothold inside your network. According to the Exchange Team, "An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context." In practice, that means a single crafted message landing in an inbox can hijack the session of whoever reads it through OWA.
What actually happened
The timeline here tells a story that security teams should sit with for a moment. Microsoft rolled out an automatic temporary mitigation back in mid-May through the Exchange Emergency Mitigation Service (EEMS), well before a full patch existed. EEMS is the mechanism Microsoft built after the ProxyLogon and ProxyShell debacles, designed to push interim protections to on-premises Exchange servers automatically while a real fix is developed. The fact that Microsoft reached for it in May is a strong signal that exploitation was real and ongoing.
The Cybersecurity and Infrastructure Security Agency reinforced that signal by adding CVE-2026-42897 to its Known Exploited Vulnerabilities catalog on May 15, ordering U.S. federal agencies to patch within two weeks, by May 29. CISA only adds entries to that list when it has evidence of active exploitation, so the KEV listing is effectively confirmation that this was not a theoretical risk.
The actual security updates arrived as part of Microsoft's June 2026 Patch Tuesday release. Microsoft's advice is blunt: install the updates "as soon as possible," and crucially, leave the EEMS mitigations in place even after patching. "The mitigation provides an additional layer of defense and helps ensure continuous protection as further improvements are released," the company noted in its updated advisory.
Why XSS in OWA is a bigger deal than it sounds
Cross-site scripting tends to get filed away as a web app nuisance, but in the context of a mail server it becomes something more dangerous. Outlook Web Access runs inside an authenticated session that holds the keys to a user's entire mailbox. JavaScript executing in that browser context can read messages, exfiltrate data, manipulate mail flow rules, or pivot toward credential theft, all while operating as a legitimately logged-in user.
Because the trigger is simply receiving and opening an email, traditional perimeter defenses offer limited help. There is no malicious attachment to detonate in a sandbox and no obvious payload download. The exploit lives in the rendering of the message itself. That is exactly the kind of pattern defenders struggle to catch, which is why Microsoft says it is continuing to "enhance protections for cross-site scripting attacks" as an ongoing effort rather than a one-time fix.
Exchange remains a favorite target
This vulnerability fits a long and uncomfortable trend. Over the past five years, CISA has added 20 Microsoft Exchange Server flaws to its exploited-in-the-wild list, and ransomware operators have abused 14 of them. On-premises Exchange has become reliable territory for attackers because the servers are internet-facing by design, often run behind on patching, and sit directly on top of an organization's most sensitive communications.
The end-of-support situation adds another layer of risk. Exchange 2016 and 2019 reached the end of support last fall, and within weeks CISA and the National Security Agency published joint guidance on hardening Exchange servers. If you are still running those versions, you are now in a window where patches for some classes of issues may slow or stop, making migration to Exchange SE or Exchange Online a planning priority rather than an afterthought.
Practical takeaways for admins
The short version is to patch now, but the details matter. Apply the June 2026 Security Updates for your specific Exchange version, then confirm the update actually completed. Exchange cumulative and security updates have a long history of silent failures when run without elevated privileges, so verify build numbers afterward rather than assuming success.
Keep the EEMS mitigations enabled. Microsoft is explicit that the mitigation and the patch are meant to work together, not as alternatives. If you previously disabled EEMS or run it in a mode that does not auto-apply, this is a good moment to revisit that configuration.
Beyond the immediate fix, treat this as a prompt to audit your OWA exposure. Ask whether OWA truly needs to be reachable from the open internet for every user, whether multi-factor authentication is enforced on those sessions, and whether you have logging in place that would actually surface a hijacked OWA session. That last point connects to a broader detection gap that defenders keep running into.
Industry data suggests organizations log a majority of successful attacks but alert on only a small fraction of them, meaning much of the malicious activity moves through environments without ever tripping a detection rule. A patch closes one door, but it does nothing for the rules that should have caught the intrusion in the first place. Testing your SIEM and EDR coverage against realistic attack behavior, rather than trusting that the rules fire as intended, is the kind of validation that turns a patched vulnerability into a genuinely defended one.
For anyone running Exchange on-premises, the lesson from this round is the same as the last several: these servers are perennial targets, the gap between disclosure and exploitation keeps shrinking, and the safest posture combines fast patching with the assumption that attackers are already probing. Get the June updates deployed, leave the mitigations on, and use the moment to check whether you would actually see an attack that slipped past the fix.
Comments
Please log in or register to join the discussion