Exploited Exchange Server flaw turns OWA inboxes into script launchpads

Microsoft has confirmed a new vulnerability in on‑premises Exchange Server that can turn a victim’s Outlook Web Access (OWA) inbox into a launchpad for arbitrary JavaScript. The issue, tracked as CVE‑2026‑42897, received a CVSS 8.1 rating and is already being exploited in the wild.

---

What happened?

• An attacker sends a specially crafted email to a user who accesses it through OWA.
• When the user performs a minimal interaction – for example, hovering over a link or opening a preview – the malicious payload is executed in the browser’s context.
• The payload is plain JavaScript, giving the attacker the same privileges as the logged‑in user within OWA. This can be used to steal session cookies, read mailbox contents, or launch further attacks against the corporate network.

Microsoft describes the flaw as a spoofing vulnerability stemming from cross‑site scripting (XSS). It affects Exchange Server 2016, 2019 and the latest Exchange Server Subscription Edition (SE), regardless of the applied cumulative updates.

---

Legal basis and regulatory implications

GDPR (EU)

• Article 32 requires organisations to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. An XSS flaw that enables remote code execution in a web‑mail client is a direct breach of that obligation.
• If personal data – such as email contents, contacts or attachments – is accessed or exfiltrated, the controller must notify the supervisory authority within 72 hours (Article 33) and, where the breach is likely to result in a high risk to the rights and freedoms of individuals, also inform the affected data subjects (Article 34).
• Failure to comply can lead to fines of up to €20 million or 4 % of global annual turnover, whichever is higher.

CCPA (California)

• Under §1798.150, a business that experiences a data breach involving personal information must provide notice to affected California residents “in the most expedient way possible.”
• The California Attorney General can impose civil penalties of $2,500 per unintentional violation and $7,500 per intentional violation. Repeated failures can also trigger statutory damages of up to $750 per consumer per incident.

Other regimes

• Brazil’s LGPD, Canada’s PIPEDA and Australia’s Privacy Act all contain breach‑notification duties and similar penalty structures. Companies operating globally must therefore treat the Exchange flaw as a cross‑jurisdictional compliance emergency.

---

Impact on users and companies

Affected parties	Consequences
Enterprises running on‑prem Exchange	Potential theft of confidential emails, contacts and calendar data; lateral movement opportunities for ransomware groups; disruption of OWA features (inline images, calendar printing, OWA Light).
Managed service providers	Liability for clients if they fail to apply the emergency mitigation or miss the ESU enrollment deadline.
End‑users	Loss of privacy, possible phishing‑style credential harvesting, reduced functionality in OWA (inline images disabled, print‑calendar broken).
Regulators	Increased scrutiny of organisations that have not migrated to Exchange Online or failed to enrol in the Extended Security Updates (ESU) program.

The emergency mitigation released through the Exchange Emergency Mitigation (EM) Service disables the vulnerable rendering path. However, Microsoft warned that the mitigation may break:

• Inline images in the OWA reading pane – users must open images as attachments.
• The Print Calendar function – users should resort to screenshots or the Outlook desktop client.
• OWA Light – already deprecated in 2024, but some legacy deployments still rely on it.

Because many on‑prem Exchange servers reside in air‑gapped or otherwise isolated networks, the manual mitigation steps are crucial for those environments.

---

What changes are required?

1. Apply the EM service immediately – follow Microsoft’s guidance at the Exchange Emergency Mitigation page. Test the impact on critical workflows before rolling out organization‑wide.
2. Enroll in the Exchange Server ESU Period 2 if you are still on Exchange 2016 or 2019. The second ESU window opened in May 2026 and will be the last chance to receive security updates for those versions.
3. Plan a migration to Exchange Online or a newer on‑prem version before the ESU program ends. Moving to the cloud eliminates this specific XSS risk because Exchange Online is not affected.
4. Conduct a GDPR/CCPA breach‑readiness review:
   • Verify that you have a documented incident‑response plan that includes XSS‑related breaches.
   • Ensure you can produce logs showing when the mitigation was applied and which mailboxes were potentially exposed.
   • Update data‑subject notification templates to reference a “web‑mail script injection” scenario.
5. Audit third‑party integrations that render OWA content (e.g., archiving solutions, CRM connectors). Some may need configuration changes to handle the disabled inline images.

---

Looking ahead

Microsoft has said a full security update will be released soon, but only the Exchange SE version will be publicly available at launch. Customers on Exchange 2016/2019 will receive the fix only if they are enrolled in the ESU program – a clear incentive to move away from legacy on‑prem installations.

In the meantime, organisations should treat CVE‑2026‑42897 as a high‑severity compliance incident. The combination of technical exposure and the strict notification timelines under GDPR and CCPA means that a delay in mitigation could translate directly into regulatory fines that dwarf the cost of a patch.

---

For further technical details on the mitigation steps, see Microsoft’s official advisory and the accompanying PowerShell script repository on GitHub.