Severity
High
Analysis Summary
Microsoft has issued an urgent security advisory for a critical vulnerability tracked as CVE-2026-42897 affecting on-premises Microsoft Exchange Server deployments. The flaw carries a CVSS score of high and is classified as a spoofing vulnerability impacting the Outlook Web Access (OWA) component. According to the report, threat actors are actively exploiting this issue in the wild, targeting organizations before a full permanent patch is released. Importantly, Microsoft Exchange Online (cloud-based email services) is not affected, limiting exposure primarily to organizations running on-premises email infrastructure.
The vulnerability stems from improper input neutralization during web page generation in OWA, effectively enabling a cross-site scripting (XSS) condition. Attackers can exploit this by sending specially crafted malicious emails to victims. If a user opens the email in Outlook Web Access and meets specific interaction conditions, arbitrary JavaScript can be executed within the browser session. This enables network-level spoofing, session manipulation, and potential data theft without requiring administrative privileges, making it highly attractive for threat actors due to its low attack complexity.
The flaw impacts multiple major versions of on-premises Exchange, including Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition across all update levels. Microsoft confirms that active exploitation is already occurring, with attackers leveraging the vulnerability to compromise user sessions and manipulate browser-based data. To mitigate immediate risk, Microsoft has deployed the Exchange Emergency Mitigation Service, which automatically applies protection rule M2.1.x for supported and connected systems. Administrators running disconnected or air-gapped environments must manually apply the mitigation using the official Exchange on-premises mitigation script with elevated privileges.
While the emergency mitigation provides temporary protection, it introduces limited operational side effects, including broken Outlook Web Access print calendar functionality and issues with inline image rendering in emails. Despite these disruptions, Microsoft strongly recommends keeping the mitigation enabled until a permanent fix is released. A full security update is currently under development for Exchange Server Subscription Edition, while older versions such as Exchange Server 2016 and 2019 will receive patches only under the Extended Security Update (ESU) Program (Period 2). Organizations are strongly advised to upgrade and modernize their Exchange infrastructure to ensure compatibility with future security updates and reduce long-term exposure.
Impact
- Sensitive Data Theft
- Gain Access
Indicators of Compromise
CVE
CVE-2026-42897
Remediation
- Immediately apply Microsoft’s Exchange Emergency Mitigation Service (M2.1.x) on all affected on-premises Exchange servers to block active exploitation attempts.
- For air-gapped or disconnected environments, manually download and run the official Exchange on-premises mitigation tool script using an elevated (admin) PowerShell or management shell.
- Restrict and closely monitor access to Outlook Web Access (OWA), especially external or untrusted network access, until a permanent patch is available.
- Implement strict email filtering and anti-phishing controls to block malicious or suspicious emails that may contain crafted payloads.
- Enable and enforce multi-factor authentication (MFA) for all Exchange users to reduce the risk of session hijacking.
- Monitor Exchange and OWA logs for unusual JavaScript execution patterns, spoofing behavior, or abnormal session activity.
- Temporarily disable or restrict non-essential OWA features (such as calendar printing and inline image rendering) if recommended in Microsoft guidance to reduce attack surface.
- Keep systems updated with the latest cumulative updates (CU) for Exchange Server 2016, 2019, or Subscription Edition.