By Microsoft confirmed active exploitation of CVE-2026-42897 on May 14 — a cross-site scripting flaw in Exchange’s Outlook Web Access that lets an attacker execute arbitrary JavaScript in a victim’s browser by sending one crafted email. There is no patch. The only protection available right now is a mitigation Microsoft pushed through its Exchange Emergency Mitigation Service the same day it disclosed the bug. CISA added it to the Known Exploited Vulnerabilities catalog the next morning and gave federal agencies until May 29 to remediate. If you’re running on-premises Exchange, your window is narrow.
What the Flaw Actually Does
CVE-2026-42897 is an improper input neutralization bug in Exchange’s Outlook Web Access component — a classic XSS scenario with a CVSS score of 8.1. The attack chain is deceptively simple: an attacker sends a specially crafted email to any Exchange OWA user. The user opens it in a browser. Under certain interaction conditions, arbitrary JavaScript executes in their browser session.
That JavaScript runs with the context of the victim’s authenticated OWA session. From there, an attacker can hijack the session, harvest credentials, or set up persistent access — all from a single email. No phishing link, no malicious attachment. Just an email in the inbox. The attack requires no local access and is fully network-reachable, which is why CISA is treating it as urgent.
Which Servers Are Exposed
The flaw affects all versions of Exchange Server 2016, Exchange Server 2019, and the current Exchange Server Subscription Edition — on-premises installations only. Exchange Online is not affected, since Microsoft controls the OWA rendering environment for hosted customers.
Here’s the harder problem: Exchange 2016 and 2019 both hit end of support on October 14, 2025. The six-month Extended Security Update window expired April 14, 2026 — five weeks before CVE-2026-42897 was disclosed. Organizations still running either version are receiving EEMS emergency mitigations but no regular security patches for anything else. This flaw gets a mitigation because Microsoft ships them broadly. The 138 other vulnerabilities patched in May 2026’s Patch Tuesday? Those servers got nothing.
What To Do Right Now
Microsoft deployed Mitigation M2 for CVE-2026-42897 through the Exchange Emergency Mitigation Service (EEMS) on May 14. If EEMS is enabled — which it is by default — the mitigation was likely applied automatically. Verify before assuming you’re covered.
Run the Exchange Health Checker from aka.ms/ExchangeHealthChecker. The HTML report includes an EEMS section showing which mitigations are applied. You want to see CVE-2026-42897-M2 listed. Alternatively, run this from an elevated Exchange Management Shell:
Get-ServerHealth -Identity <servername> | Where-Object {$_.HealthSetName -eq "EmergencyMitigation"}Status should return Online. If the output is empty, EEMS is disabled and you need to apply the mitigation manually using the Exchange on-premises Mitigation Tool, documented in Microsoft’s CVE-2026-42897 advisory.
Two known side effects of M2: OWA’s Print Calendar feature may break, and inline images in the reading pane may not display correctly. Both are acceptable trade-offs given active exploitation. Full documentation is in Microsoft’s EEMS guide.
Why This Week Was Particularly Bad for Exchange
CVE-2026-42897 landed during Pwn2Own Berlin 2026. On day two of the contest, DEVCORE’s Orange Tsai chained three Exchange bugs together and earned $200,000 for achieving SYSTEM-level remote code execution. That’s a separate attack chain — RCE versus XSS — but the timing is striking: elite researchers publicly demonstrated full Exchange compromise the same week threat actors were already quietly exploiting a different flaw in production.
Exchange keeps showing up at Pwn2Own because it’s legitimately hard to secure. It renders email content in browsers, integrates with Active Directory, and handles authentication for large organizations. Every one of those surfaces is an attack vector. As BleepingComputer reported, this zero-day surfaced two days after Patch Tuesday — which itself patched 138 vulnerabilities — arriving with no accompanying fix.
The Longer View
This is not unusual. CVE-2025-53786, disclosed in August 2025, let attackers pivot from on-premises Exchange into Microsoft 365. Before that, ProxyLogon enabled nation-state mass exploitation. Exchange zero-days emerge at roughly two to three times per year, and scanning data from mid-2025 showed over 28,000 Exchange servers still exposed on the public internet.
If your organization is running Exchange 2016 or 2019 with no active migration plan, use this moment to make the case internally. EEMS mitigation buys time — it does not replace a supported, patched platform. When Microsoft releases a permanent fix for CVE-2026-42897, apply it the same day. And add this to the list of reasons to exit end-of-life Exchange before the next zero-day drops.
CISA’s Known Exploited Vulnerabilities catalog has the current guidance. Federal agencies have until May 29. Active exploitation does not wait for internal approval cycles.
