By ByteBot
An attacker sends one email. The victim opens it in Outlook Web Access. No attachment, no macro, no second click. Arbitrary JavaScript executes inside their authenticated OWA session, and within seconds the attacker has planted email forwarding rules that copy every future message to an address they control. The victim changes their password the next morning. The forwarding rules survive. That is CVE-2026-42897 — a zero-day in Microsoft Exchange Server’s Outlook Web Access that has been actively exploited since at least May 14, with no permanent patch until June 10 at the earliest.
What the Vulnerability Does
CVE-2026-42897 is a reflected cross-site scripting flaw scored CVSS 8.1. Exchange Server fails to sanitize specific email content before rendering it inside OWA, allowing attacker-controlled JavaScript to execute with full user privileges in the browser. The vulnerable products are Exchange Server 2016, 2019, and the Subscription Edition. Exchange Online is unaffected.
Because modern browsers block direct JavaScript access to HttpOnly session cookies, the attackers bypass token theft entirely — they don’t need your tokens. Instead, they exploit same-origin session riding: the malicious script makes authenticated OWA API calls directly from the victim’s own browser tab. Read their email. Send email as them. Modify calendar entries. And — most critically — create inbox forwarding rules that exfiltrate every email received going forward.
“The boring vulnerabilities are the ones that keep working,” said Bogdan Tiron of Fortbridge — a researcher who has tracked XSS exploitation against mail servers for years.
Exchange has historically attracted rapid attention from nation-state operators and ransomware groups precisely because it sits at the center of organizational communications and OWA is frequently internet-facing. ProxyLogon in 2021. ProxyShell shortly after. The pattern repeats.
The Persistence Problem
Here is what standard patch-now coverage skips: applying the mitigation today does not undo what an attacker may have already planted. If a user opened a malicious email before the fix was applied, forwarding rules created by that JavaScript continue running — silently, persistently — until someone explicitly finds and removes them. A password reset does nothing to stop it.
Run this against your environment immediately:
Get-Mailbox -ResultSize Unlimited | Get-InboxRule | Where-Object { $_.ForwardTo -ne $null -or $_.RedirectTo -ne $null }Any rule forwarding to an external domain you don’t recognize is a compromise indicator. Check logs going back at least ten days — active exploitation was already underway before Microsoft’s May 14 disclosure.
Apply the Mitigation Now
CISA added CVE-2026-42897 to its Known Exploited Vulnerabilities catalog on May 15 and gave federal civilian agencies until May 29 to remediate. If your organization runs on-premises Exchange, treat that deadline as yours too.
Microsoft’s official guidance centers on the Exchange Emergency Mitigation Service (EEMS), which is enabled by default on Exchange Server 2016, 2019, and SE. The auto-applied workaround (M2.1.x) uses URL rewriting to block the attack vector. Verify it is active using the Exchange Health Checker.
If EEMS is disabled, re-enable it:
Set-ExchangeDiagnosticsInfo -Server [Server] -Process MSExchangeServiceHost -Component MitigationService -Enabled $trueFor air-gapped environments without internet access, run the Exchange On-Premises Mitigation Tool from an elevated Exchange Management Shell:
.\EOMT.ps1 -CVE "CVE-2026-42897"What the Mitigation Breaks
The URL rewrite workaround has known side effects worth flagging before your help desk gets flooded. OWA calendar printing breaks. Inline images stop displaying in the reading pane. OWA Light becomes non-functional. Users accessing OWA through Internet Explorer or Edge in IE compatibility mode are not protected and should be blocked from OWA access until the permanent patch ships. The OWACalendar.Proxy healthset will report as unhealthy — this is a false positive generated by the mitigation itself, not a separate problem.
What’s Next
Microsoft has confirmed permanent patches for Exchange SE RTM, Exchange 2016 CU23, and Exchange 2019 CU14/CU15. The next Patch Tuesday is June 10 — a potential 27-day exposure window from initial disclosure. Apply the permanent fix immediately when it ships.
The real priority right now: audit your mailbox rules before anything else. If attackers were active before you applied the mitigation — and given confirmed active exploitation at disclosure time, some organizations almost certainly were targeted — you may already be forwarding mail to strangers. The workaround stops new attacks. It does nothing for persistence already in place.
